12-20-2002 06:58 AM - edited 02-20-2020 10:27 PM
Hi everybody.
I've been searching these forum-pages, and found a lot about alias, but I haven't been able to cover "my" senario:
Here is the point:
How do I configure the Pix, doing Alias when the "Public" DNS servers are located on a DMZ, with "Internal" IP adresses.
I am doing NAT to the outside, and would like the Pix to "fix up" the Internal IP adresses on the dns-servers to be shown as external IP-Adresses.
Again, the Internal IP adresses in the dns-servers (in DMZ) must be converted into external ip-adresses (outside) by the pix, when someone are doing DNS lookup from the Internet.
Hope you can help.
Greetings
Jarle
12-20-2002 07:22 AM
Hi,
have a look at this page:
http://www.cisco.com/warp/public/110/alias.html
It explains the use of the 'alias' command which is used for 'DNS Doctoring' and 'Destination NAT'.
If you have any more questions, don't hesitate to post them.
Kind Regards,
Tom
12-20-2002 08:34 AM
I guess, what i want to do is the DNS Doctoring.
But how do i do this on the outside Interface?
The Zones created on the DNS-Servers in DMZ contain the "real" internal IP addresses of the web and mail-servers (also in the same DMZ).
But these must be translated into the "Public" ip Adresses, when someone does a DNS Lookup from Internet.
The translations are done as following:
10.0.0.1 -> 195.141.1.1 =www.mydomain.com
10.0.0.2 -> 195.141.1.2 =smtp.mydomain.com
10.0.0.3 -> 195.141.1.3 = ns1.mydomain.com
10.0.0.4 -> 195.141.1.4 = ns2.mydomain.com
how should the alias command look like?
sysopt noproxyarp outside
alias (outside) 195.141.1.1 10.0.0.1 255.255.255.255
alias (outside) 195.141.1.2 10.0.0.2 255.255.255.255
alias (outside) 195.141.1.3 10.0.0.3 255.255.255.255
alias (outside) 195.141.1.4 10.0.0.4 255.255.255.255
Is this correct?
regards
Jarle
12-20-2002 06:41 PM
Yep, that looks about right. The 2nd IP address in the alias command is the IP address that is actually in the DNS reply, which the PIX then changes to the 1st IP address.
Can't say I've ever tried it this way, but it should work.
12-31-2002 12:41 AM
Tanx again, but ....
it still does not work. I just tested it
(with the comman sysopt noproxyarp outside included).
Any other idea how it kould work?
Is it at supported what i'm trying to do?
12-31-2002 02:02 AM
Hi again
I've just been talking to TAC, and they have informed me that it is not possible to do DNS-Doctoring to the outside interface on the pix.
That means: This configuration is not possible, the DNS Servers has to be placed on the outside of the Pix or on a DMS without any Nat to the outside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide