Re: Getting rid of the alias command (DNS Doctoring and DNAT)

m.laporta · ‎11-12-2003

Hi Experts.

My Customer has a Pix 520 with OS ver. 5.1(5). As they have an external DNS, they use the alias command extensively, both for DNA doctoring and for Destination NAT.

I'm planning a (nightly!) migration to ver. 6.3 and want to get rid of the alias command (in order to use the PDM). I kindly ask for your help to make sure I correctly understand the static command as a substitute for the alias.

Here is the current configuration:

!

ip address outside A.B.C.126 255.255.255.128

ip address inside 192.168.204.1 255.255.255.0

ip address dmz 192.168.210.3 255.255.255.0

!

! DNS Doctoring

alias (inside) 192.168.204.29 A.B.C.29 255.255.255.255

!

! DNAT

alias (inside) A.B.C.100 192.168.210.100 255.255.255.255

!

static (inside,outside) A.B.C.29 192.168.204.29 netmask 255.255.255.255 0 0

static (dmz,outside) A.B.C.100 192.168.210.100 netmask 255.255.255.255 0 0

!

... and this is what I'm going to deploy:

!DNS Doctoring

no alias (inside) 192.168.204.29 A.B.C.29 255.255.255.255

static (inside,outside) A.B.C.29 192.168.204.29 dns netmask 255.255.255.255 0 0

!

! DNAT

no alias (inside) A.B.C.100 192.168.210.100 255.255.255.255

static (dmz,inside) A.B.C.100 192.168.210.100 netmask 255.255.255.255 0 0

!

Will this work as before?

Thank you!

scoclayton · ‎11-12-2003

Hi,

Looks great. One minor correction on your DNAT commands:

static (dmz,inside) 192.168.210.100 A.B.C.100 netmask 255.255.255.255 0 0

** note that I reversed the addresses

Good luck and let us know how it goes. Remember to 'cl x' after removing the alias and other old commands.

Scott