Help with 'ALIAS' and DNAT

alan.morris · ‎09-27-2004

Trying to understand an inherited config.... It uses pix v6.1 and Aliases as follows

alias (inside) outside-ip dmz-ip 255.255.255.255 &

alias (dmz) outside-ip dmz-ip 255.255.255.255 &

and has a

no sysopt dnat

reading the documentation on the alias command I thought that it seemed to be set up to allow clients on the inside and dmz to use the outside-ip to access the dmz servers. However to me this seems to be contradicted by the no sysopt dnat.

I have also tried name resolution against an external dns server and there is no sign of 'dns doctoring'!

I am clearly missing something here, could someone kindly shed some light on this for me please?

piseli · ‎09-27-2004

Take a look at this post:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd65552/0#selected_message

sincerly

Patrick

alan.morris · ‎09-29-2004

Many thanks your reply and references. Having read these it is clear that in this case the alias is being used for dnat to allow inside and dmz clients to use the external IP addresses to access servers on the dmz. I have however been confused by the fact that on 6.1 I can ping the dmz servers using their external IP address but NOT using their internal IP address. If I load the identical configuration on 6.3 I can ping them with either address.

Is this difference in bahaviour caused by something else in the config or is it simply an implementation change?

scoclayton · ‎09-27-2004

As I am sure you have seen, the alias command can work in 3 different ways depending on how it is setup:

1) destination NAT - when a packet is received on the interface specified, destined for the first address in the command, the PIX translates the destination to the second address and sends it out accordingly.

2) DNS doctoring for inbound DNS responses - a DNS A record containing the second address in the command destined for a host behind the interface specified, will be translated to the first address in the command.

3) DNS doctoring for outbound DNS responses - a DNS A record received from the a host behind the specified interface containing the first address will be translated to the second address.

So, assuming a usual setup here, I would guess that you are using the above alias commands as #1 and #2 above. Internal hosts on the inside, Web servers on the DMZ, and DNS servers on the outside (at an ISP for example). The first alias command - alias (inside) outside-ip dmz-ip 255.255.255.255 - is NAT'ing the destination address of the outside IP to the dmz IP for packets received on the inside interface. This means that your DNS server resolves the web server name to the "outside-ip" address but when an internal client tries to hit the "outside-ip" address, the PIX intercepts it, changes the destination address to the "dmz-ip" and puts it on the DMZ interface.

The second alias command is probably working to do DNS doctoring for hosts on the dmz interface trying to resolve the web servers name. So, the DNS server on the outside resolves web servers name to the "outside-ip" when queried. The PIX intercepts this DNS response, sees that it contains the "outside-ip" and sees that the destination is to a host on the dmz interfaces. The PIX then changes the address in the DNS response from "outside-ip" to "dmz-ip" which allows the hosts on the DMZ to access the other hosts on that interface via name.

The 'sysopt route dnat' has nothing to do with the actions of the alias command. You are probably thinking of 'sysopt nodnsalias'. Have a look here and let me know if this is unclear or if there is anything more that I can do to help.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/s.htm#1026942

Scott