Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
262
Views
0
Helpful
2
Replies

Replacing ALIAS statements

Go to solution
alan.morris
Level 1
Level 1

‎10-23-2004 01:44 AM - edited ‎03-09-2019 09:11 AM

I am trying to update a legacy configuration to 6.3 and to use PDM, for ease of maintenance. The setup is a 3 leg 515, with outside facing servers on the DMZ.

The legacy configuration uses ALIAS'es to allow inside users to access the DMZ servers using their global IPs rather than their local IPs. The ALIAS'es are also applied to the DMZ itself allowing one DMZ server to talk to another using the latter's Global IP. Thus typical alias statements for a given server would be:

ALIAS (INSIDE) x.x.x.x 192.168.2.1 255.255.255.255

ALIAS (DMZ) x.x.x.x 192.168.2.1 255.255.255.255

where 192.168.2.1 is the IP address of a server on the DMZ and x.x.x.x is its global address.

PDM does not support alias commands so I have replaced the former statement with DNAT:

static (DMZ,inside) x.x.x.x 192.168.2.1 netmask 255.255.255.255

This works fine allowing inside users to access the DMZ servers with their global IP.

However I cannot see how to apply this approach to the servers on the DMZ.

Can anyone help please?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7

‎10-24-2004 05:01 PM

Seems like you have a very good understanding of how the alias command works. Which is not an easy thing for most people...

But, I will point out one error in your post. My guess is that the latter alias command is actually doing what we call "DNS Doctoring" rather than destination NAT. What this means is that as servers on the DMZ did a DNS lookup for other servers on the DMZ, the DNS server responded with x.x.x.x. The PIX intercepted this response and replaced the address in the DNS reply with 192.168.2.1 so the servers on the DMZ could access other servers via their local address rather than the global address.

Make sense? So your first static is perfect for doing destination NAT for internal users trying to hit the DMZ servers via their global addresses. To make this work for "DNS Doctoring" all you need to do is add 'dns' to the static(s) on the PIX that you need to access from other servers on the DMZ. Using your address examples, something like this:

static (dmz,outside) x.x.x.x 192.168.2.1 dns netmask 255.255.255.255

Take a look at the command ref here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Hope this helps.

Scott

View solution in original post

0 Helpful
2 Replies 2

Go to solution
scoclayton
Level 7
Level 7

‎10-24-2004 05:01 PM

Seems like you have a very good understanding of how the alias command works. Which is not an easy thing for most people...

But, I will point out one error in your post. My guess is that the latter alias command is actually doing what we call "DNS Doctoring" rather than destination NAT. What this means is that as servers on the DMZ did a DNS lookup for other servers on the DMZ, the DNS server responded with x.x.x.x. The PIX intercepted this response and replaced the address in the DNS reply with 192.168.2.1 so the servers on the DMZ could access other servers via their local address rather than the global address.

Make sense? So your first static is perfect for doing destination NAT for internal users trying to hit the DMZ servers via their global addresses. To make this work for "DNS Doctoring" all you need to do is add 'dns' to the static(s) on the PIX that you need to access from other servers on the DMZ. Using your address examples, something like this:

static (dmz,outside) x.x.x.x 192.168.2.1 dns netmask 255.255.255.255

Take a look at the command ref here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Hope this helps.

Scott

0 Helpful

Go to solution
alan.morris
Level 1
Level 1
In response to scoclayton

‎10-25-2004 01:35 AM

Scott, thanks your reply. Indeed you were correct in identifying my error. Many thanks your help. As far as I can tell although the pix is set up to do DNS rewriting, it seems it is not actually being used, however I have yet to finalise my research on this.

Regards

0 Helpful
Customers Also Viewed These Support Documents