Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
9
Helpful
2
Replies

Convert Alias to NAT

veruscorp
Level 1
Level 1

‎03-18-2006 11:54 AM - edited ‎03-09-2019 02:18 PM

I am working to convert a 6.3(1) config from conduit to ACL so I can upgrade the code. Output interpreter will not offer conversion suggestions because of an alias command in the config.

Situation: Static inbound nat from outside to dmz with destination nat for inside hosts to dmz

Inside hosts need to communicate with the public (outside) address of the DMZ server. We ARE NOT using DNS doctoring and cannot. This is a VoIP application, the VoIP hosts do not rely on hostnames. A working scenario is an ip phone that communicates with a VoIP gateway server in the DMZ, where the user carries the phone with them while travelling, but also uses it in the office on the inside network.

All Cisco docs that I find relate to using the dns command in the nat statements. The only other doc I find references the alias command and does not offer NAT alternatives.

This is a working config, but IP's are ficticious. Conduits and access lists are excluded.

Outside: 5.5.5.5

DMZ Host: 192.168.5.5

Inside: 10.10.10.0

alias (inside) 5.5.5.5 192.168.5.5 255.255.255.255

static (dmz,outside) 5.5.5.5 198.168.5.5 netmask 255.255.255.255

With these two statements, inside hosts are faked into thinking they are connecting to the dmz public address by the alias command.

The Cisco references that I find suggest using "outbound" nat, but only provide examples related to DNS requests (doctoring). Again, this is not a DNS capable situation.

How do I convert the alias command over to acheive the same result?

Thank you,

Jamison

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎03-20-2006 05:03 PM

So the hosts on the inside connect to the 5.5.5.5 address, which then get's changed to the 192.168.5.5 address and sent to the DMZ interface, correct?

The command you need is as follows:

static (dmz,inside) 5.5.5.5 192.168.5.5 netmask 255.255.255.255

Note how the interface names (dmz,inside) are the wrong way around from a "normal" static. This command says that if you see a packet on the inside interface destined for 5.5.5.5, change the destination to 192.168.5.5 and send it out the dmz interface. Hence "destination NAT'ing", not DNS Doctoring.

Note the above static only handles the traffic coming from the inside interface to the DMZ server, you still need your original static that you've shown in your original post to handle traffic from the outside to the dmz.

veruscorp
Level 1
Level 1
In response to gfullage

‎03-20-2006 09:11 PM

Simple enough. Works perfectly, thank you very much!

I still had to modify the matching conduits (soon to be acls). With alias, the conduit referred to the public (outside) address. With static, the conduit properly refers to the private (dmz) address.

The way you interpreted the static statement in plain english makes a ton more sense than Cisco NAT nomenclature [global/foreign/local/headache] :)

Thanks again!

Jamison

0 Helpful
Customers Also Viewed These Support Documents