Re: PIX520 6.0(1): alias ,strange question

xiao0809 · ‎07-15-2001

I have a pix 520 with 3 ports, at the DMZ there is a web server,I use the static command to allow outside user access the web server,To allow inside user access the web server correctly,I use the alias command to resolve the domain name to DMZ IP address 192.168.1.253.

The question is when I use alias command to resolve the domain name , it works well,the domain ip address isn't the global ip address 211.99.175.50.

but the inside user cann't access the webserver.

at this time,I ping the 192.168.1.253, the pix nat it to the outside pool,but if I ping the 192.168.1.252 etc. the pix nat it to the DMZ .

If I don't use the alias command, when i ping the 192.168.1.253, the pix nat it to the DMZ,that is correct,but you know ,the inside user cann't access the webserver correctly at this time.

What can I do,I need your help

Duzaidong , Thanks

thomas.chen · ‎07-18-2001

This is because the alias command does two things, fixes up the DNS packet and changes the destination address. The workaround is to reverse the ip addresses in the alias statement. I think there's a new sysopt command that works too. Look at this for details: http://www.cisco.com/warp/customer/110/top_issues/pix/issue_alias.html

dennis-lee · ‎10-08-2001

I am in the same case and my commands are,

alias (inside) web-public-ip web-private-ip 255.255.255.255

sysopt nodnsalias inbound

it works. the internal users can access the web by domain name. however, the pix firewall hangs very often and needs to be reboot, do any of you experience this and what's the solution? i have tried 5.3.1 and 6.0.1

turnbull · ‎11-14-2001

Check out Bug Id : CSCdu74759

6.0.1 introduced a problem with alias after a fix for a previous bug.

Workaround is to disable proxy arp on internal interfaces with the " sysopt noproxyarp " command