Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
2
Replies

Exact mechanics of alias command under 6.2

evan.moore
Level 1
Level 1

‎11-12-2002 11:11 AM - edited ‎03-09-2019 01:02 AM

I'm trrying to understand a situation which has me puzzled. Part of the

problem is definitely not the fault of the PIX, but some of it might be. If

anyone can tell me an exact order of operations on packets as they

go through the PIX, and when (and how) the alias command is applied,

it might shed light.

Here's the problem:

PIX with outside, inside, and DMZ interfaces.

Mail server on the DMZ.

NAT suppressed between DMZ and inside to allow Windows NetLogin

service between a different server on the DMZ and a Windows PDC on

the inside.

DNS server on the inside LAN used by some of the clients on the

inside LAN.

DNS server on the outside LAN used by a different set of clients on

the inside LAN.

The behavior is thus:

With an

alias (inside) outside-ip dmz-ip 255.255.255.255

command in place, those clients that use the external DNS server

can connect to the mail server just fine. This fits exactly with the Cisco

tech note that describes the alias command. However, clients that

use the internal DNS server originate sessions with dmz-ip as the

destination address, and fail to connect.

I've changed the internal DNS server to reply with outside-ip rather

than dmz-ip, thus permitting all clients to connect, but I don't understand

why the PIX is not letting connections happen when the inside client

tries to connect directly to the dmz-ip address.

Can anyone explain this to me?

ERM

Labels:
0 Helpful
2 Replies 2

smahbub
Level 6
Level 6

‎11-18-2002 01:23 PM

I really don't think that the problem is with the PIX or the alias command. I don't see a problem while using A DNS server on the inside LAN that replies with the internal IP address. I do not think that the Alias command has any role to play here. In this setup neither does it DNat nor does it do DNS doctoring. Can your host directly ping the IP address of your server on the DMZ? I thing it will (remember to configure conduit for ping!) and that would indicate that things are working fine. I guess the problem really lies with DNS learning and not the alias command. If you are having problems pinging the server on your DMZ from the inside using its private adddress, then you need to check your routing information.

0 Helpful

evan.moore
Level 1
Level 1
In response to smahbub

‎11-19-2002 07:14 AM

I forgot to spell out the reverse case, which helps show the problem even

better.

If I remove the alias command from my PIX, then those clients using

the internal DNS server try to connect to the dmz-ip (this is before I

changed the internal DNS) and do so fine. Those clients using the

external DNS, thus trying to connect to the external-ip of the server,

fail to connect.

Thus, the alias command is needed, to allow the clients using the

external DNS servers to contact the mail server correctly. While I

agree that those clients should be changed to use the internal DNS

server, that's not something which can be done quickly.

ERM

0 Helpful
Customers Also Viewed These Support Documents