Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
5
Replies

Alias on Pix 6.22, Here we go again....

jsteffensen
Level 1
Level 1

‎12-20-2002 06:58 AM - edited ‎02-20-2020 10:27 PM

Hi everybody.

I've been searching these forum-pages, and found a lot about alias, but I haven't been able to cover "my" senario:

Here is the point:

How do I configure the Pix, doing Alias when the "Public" DNS servers are located on a DMZ, with "Internal" IP adresses.

I am doing NAT to the outside, and would like the Pix to "fix up" the Internal IP adresses on the dns-servers to be shown as external IP-Adresses.

Again, the Internal IP adresses in the dns-servers (in DMZ) must be converted into external ip-adresses (outside) by the pix, when someone are doing DNS lookup from the Internet.

Hope you can help.

Greetings

Jarle

0 Helpful
5 Replies 5

tvanginneken
Level 4
Level 4

‎12-20-2002 07:22 AM

Hi,

have a look at this page:

http://www.cisco.com/warp/public/110/alias.html

It explains the use of the 'alias' command which is used for 'DNS Doctoring' and 'Destination NAT'.

If you have any more questions, don't hesitate to post them.

Kind Regards,

Tom

0 Helpful

jsteffensen
Level 1
Level 1
In response to tvanginneken

‎12-20-2002 08:34 AM

I guess, what i want to do is the DNS Doctoring.

But how do i do this on the outside Interface?

The Zones created on the DNS-Servers in DMZ contain the "real" internal IP addresses of the web and mail-servers (also in the same DMZ).

But these must be translated into the "Public" ip Adresses, when someone does a DNS Lookup from Internet.

The translations are done as following:

10.0.0.1 -> 195.141.1.1 =www.mydomain.com

10.0.0.2 -> 195.141.1.2 =smtp.mydomain.com

10.0.0.3 -> 195.141.1.3 = ns1.mydomain.com

10.0.0.4 -> 195.141.1.4 = ns2.mydomain.com

how should the alias command look like?

sysopt noproxyarp outside

alias (outside) 195.141.1.1 10.0.0.1 255.255.255.255

alias (outside) 195.141.1.2 10.0.0.2 255.255.255.255

alias (outside) 195.141.1.3 10.0.0.3 255.255.255.255

alias (outside) 195.141.1.4 10.0.0.4 255.255.255.255

Is this correct?

regards

Jarle

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to jsteffensen

‎12-20-2002 06:41 PM

Yep, that looks about right. The 2nd IP address in the alias command is the IP address that is actually in the DNS reply, which the PIX then changes to the 1st IP address.

Can't say I've ever tried it this way, but it should work.

0 Helpful

jsteffensen
Level 1
Level 1
In response to gfullage

‎12-31-2002 12:41 AM

Tanx again, but ....

it still does not work. I just tested it

(with the comman sysopt noproxyarp outside included).

Any other idea how it kould work?

Is it at supported what i'm trying to do?

0 Helpful

jsteffensen
Level 1
Level 1
In response to jsteffensen

‎12-31-2002 02:02 AM

Hi again

I've just been talking to TAC, and they have informed me that it is not possible to do DNS-Doctoring to the outside interface on the pix.

That means: This configuration is not possible, the DNS Servers has to be placed on the outside of the Pix or on a DMS without any Nat to the outside.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card