Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
4
Replies

pix migrate from alias to outside nat

max.power
Level 1
Level 1

‎02-09-2005 11:07 PM - edited ‎02-20-2020 11:55 PM

Hi all,

I have a pix 501 ver 6.3(4), I need help migrating away from the now obsolete alias command.

The situation is like this:

I have two internal hosts both with external addresses provided by PIX static commands, these hosts need to access certain ip's on the internet as well as each other via their public/external IP addresses - (btw the nature of these hosts excludes the use of dns as a workaround).

I have solved this dilemma with PIX alias (dnat) commands for each host which in turn presents a second problem; host1 attempts to establish a connection with host2 via host2's external address this traffic is dnat'd on the PIX inside interface (traffic doesn't pass through the external interface so packets are not snat'd) and forwarded to host2, host2 then responds directly to host1 (they are on the same subnet) but the return traffic is dropped because according to host1 the source address of host2's reply is incorrect (reply source is from host2's internal ip instead of the requested external ip). Now for something really ugly; to solve this issue I perform snat on host2's replies with an inline Linux server... this works but the old alias command breaks the pdm and makes people pull ugly faces when I describe how it all comes together.

Searching the net I found rumors that there's a way to replace the alias command with "bi-directional" or "outside" nat but have yet to find an example of how to put this command together.

Please help.

0 Helpful
4 Replies 4

smalkeric
Level 6
Level 6

‎02-15-2005 01:14 PM

In order to stop using the alias command you will need to add the "dns" keyword to your static commands - this works well as long as the dns server that the inside users are configured to use is on the outside of the pix - the dns keyword "fixes" the reply

from the dns server for that static translation. As an example you would need to change the following static command:

static (inside,outside) 192.168.162.4 10.0.20.4 netmask 255.255.255.255 128 89

to: static (inside,outside) 192.168.162.4 10.0.20.4 DNS netmask 255.255.255.255 128 89

Also you need to remove the coresponding alias command:

no alias (inside) 10.0.20.4 194.224.162.4 255.255.255.255

and then do a "clear xlate" for this to come into effect.

0 Helpful

max.power
Level 1
Level 1
In response to smalkeric

‎02-15-2005 03:31 PM

Yeah I use that alot but for these two hosts dns is not an option; they cannot use dns. I need some kind of dnat.Aparently this is done with "outside nat" at least that's what my pdm told me I should migrate to...

0 Helpful

ddawson
Level 1
Level 1

‎02-15-2005 04:10 PM

Are you sure this is how thigs are working? The reason I ask is that what you describe isn't what the PIX does - it can't send packets back out the interface they arrive on, so if host1 sends a packet to host2's external address, the PIX will not forward it back out the inside interface, no matter what sort of NAT or "alias" features you've configured.

The benefits of the alias feature for allowing internal hosts to communicate with each other are purely DNS effects. When the alias feature is correctly configured, the two inside hosts communicate with each other using their respective private (i.e. non-nat'd) addresses, which they learn because the PIX translates the DNS replies from the external DNS server so they contain the private addresses instead of the public addresses that are in the original DNS response. If you can't use DNS for some reason and must use the actual IP addresses, then the PIX cannot be made to do what you want.

A possible alternative may be to configure an additional "secondary" IP address on each host interface (most systems support this, though it's not often useful). If each host was configured with it's registered address as a secondary address on its ethernet interface, things might just magically work. It's possible you'll also have to add some static routes to each host, depending on the OS(es) involved.

Good luck, and let us know if you have more details that might be useful.

0 Helpful

max.power
Level 1
Level 1
In response to ddawson

‎02-16-2005 03:15 PM

Yeah, I'm sure that's how it works. Here's an excerpt from the pix command reference:

The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.

I have also verified the behavior with tcpdump and as the current (ugly) setup I have is working I guess that would also testify that the alias command performs destination nat (dnat).

Still looking for the "outside nat" command that the pdm hinted at when it informed me that my alias commands were no longer supported.

Please help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card