"pdm does not support the alias command"?dns doctoring

leeb · ‎04-28-2004

i have a pix 501 ver 6.3 pdm 3.

i want to apply a dns doctoring alias command so internal users will access my internal web site with his public dns name=public ip

i did : alias (inside) 192.168.1.2 10.10.10.10 255.255.255.255 when 10.10.10.10 is the public ip .

but i got the error messege in pdm.

can someone tell me how i do it with "bi-directional nat " ( i found answwers about dnat-alias but what about dns doctoring-alias ) ???

ehirsel · ‎04-28-2004

This may work but before you try it remove the alias (inside) 192.168.1.2 10.10.10.10 255.255.255.255 statement and do a clear xlate global 192.168.1.2 command, or just clear xlate, before you proceed.

static (dmz, inside) 10.10.10.10 192.168.1.2 netmask 255.255.255.255

If I understand the pix doc correctly, this is bi-directional nat. The real ip address of the dmz host is 192.168.1.2, and the mapped address (the one seen by the inside users) is 10.10.10.10.

I think this will work under one of these two conditions:

1. If the dns server and the web server are off of the same interface, because you want the dns replies to be doctored

2. The dns server is on the inside and the dns records already have the public IP address. No need for dns doctoring, just translate the ip packets.

If the dns and web are off of the outside interface then use static (out, in) 10.10.10.10 192.168.1.2 netmask 255.255.255.255