03-04-2003 10:01 AM - edited 03-09-2019 02:21 AM
I would like to use the PDM to manage my PIX. My config is currently using the alias command. Can I replace the alias with static commands?
Thanks
Ex. alias (inside) 192.195.176.17 174.18.2.20 255.255.255.255
Solved! Go to Solution.
03-04-2003 01:59 PM
Actually, the "dns" keyword on the second static shouln't be there. You will need the "dns" on the first static to that hosts on the dmz receive the real IP and not the NATted one in DNS replies. Make sure you "clea xlate" after making these changes, flush dns caches(ipconfig /flushdns on win2k/xp), and that there are no host entries in the affected machines. For your setup, you should have this:
static (dmz,outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [the dns keyword tells the pix to do DNS doctoring for this translation because DNS resolves to the public IP]
static (dmz,inside) 123.123.123.123 192.168.1.1 netmask 255.255.255.255 [allows internal hosts to connect to the public IP found in DNS and translates it to the private IP on the way to the DMZ]
03-04-2003 12:33 PM
Yes. YOu can use static commands to do "reverse" or "bi-directional" NAT if you're using Pix 6.2+. There's not enough info here to answer your question directly. Here's what your's would look like for a simple inside host NATted outside and the DNS being housed externally..
static (inside,outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [the dns keyword tells the pix to do DNS doctoring for this translation because DNS is outside]
If a host was on a DMZ and DNS is outside, you could do something like this:
static (dmz,outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [the dns keyword tells the pix to do DNS doctoring for this translation because DNS resolves to the public IP]
static (dmz,inside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [allows internal hosts to connect to the public IP found in DNS and translates it to the private IP on the way to the DMZ]
Give more info on your setup. Don't forget to include things like where your DNS is, DMZs, etc.
03-04-2003 01:52 PM
Thank you for your help. My DNS is on the outside and the alias that I am trying to replace is from an outisde address to an address in the dmz. I replaced 2 aliases with a static (dmz, inside) command line and all still seems to be working. The only problem that I am still having, which I had before I changed the alias to a static is that a computer is the dmz can not see a web server in the dmz when they click on a link with an outside address.
Thanks again
03-04-2003 01:59 PM
Actually, the "dns" keyword on the second static shouln't be there. You will need the "dns" on the first static to that hosts on the dmz receive the real IP and not the NATted one in DNS replies. Make sure you "clea xlate" after making these changes, flush dns caches(ipconfig /flushdns on win2k/xp), and that there are no host entries in the affected machines. For your setup, you should have this:
static (dmz,outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [the dns keyword tells the pix to do DNS doctoring for this translation because DNS resolves to the public IP]
static (dmz,inside) 123.123.123.123 192.168.1.1 netmask 255.255.255.255 [allows internal hosts to connect to the public IP found in DNS and translates it to the private IP on the way to the DMZ]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide