Solved: replacing the alias command

tjmaurin · ‎03-04-2003

I would like to use the PDM to manage my PIX. My config is currently using the alias command. Can I replace the alias with static commands?

Thanks

Ex. alias (inside) 192.195.176.17 174.18.2.20 255.255.255.255

shannong · ‎03-04-2003

Actually, the "dns" keyword on the second static shouln't be there. You will need the "dns" on the first static to that hosts on the dmz receive the real IP and not the NATted one in DNS replies. Make sure you "clea xlate" after making these changes, flush dns caches(ipconfig /flushdns on win2k/xp), and that there are no host entries in the affected machines. For your setup, you should have this:

static (dmz,outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [the dns keyword tells the pix to do DNS doctoring for this translation because DNS resolves to the public IP]

static (dmz,inside) 123.123.123.123 192.168.1.1 netmask 255.255.255.255 [allows internal hosts to connect to the public IP found in DNS and translates it to the private IP on the way to the DMZ]

View solution in original post

shannong · ‎03-04-2003

Yes. YOu can use static commands to do "reverse" or "bi-directional" NAT if you're using Pix 6.2+. There's not enough info here to answer your question directly. Here's what your's would look like for a simple inside host NATted outside and the DNS being housed externally..

static (inside,outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [the dns keyword tells the pix to do DNS doctoring for this translation because DNS is outside]

If a host was on a DMZ and DNS is outside, you could do something like this:

static (dmz,outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [the dns keyword tells the pix to do DNS doctoring for this translation because DNS resolves to the public IP]

static (dmz,inside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [allows internal hosts to connect to the public IP found in DNS and translates it to the private IP on the way to the DMZ]

Give more info on your setup. Don't forget to include things like where your DNS is, DMZs, etc.

tjmaurin · ‎03-04-2003

Thank you for your help. My DNS is on the outside and the alias that I am trying to replace is from an outisde address to an address in the dmz. I replaced 2 aliases with a static (dmz, inside) command line and all still seems to be working. The only problem that I am still having, which I had before I changed the alias to a static is that a computer is the dmz can not see a web server in the dmz when they click on a link with an outside address.

Thanks again

shannong · ‎03-04-2003

Actually, the "dns" keyword on the second static shouln't be there. You will need the "dns" on the first static to that hosts on the dmz receive the real IP and not the NATted one in DNS replies. Make sure you "clea xlate" after making these changes, flush dns caches(ipconfig /flushdns on win2k/xp), and that there are no host entries in the affected machines. For your setup, you should have this:

static (dmz,outside) 123.123.123.123 192.168.1.1 dns netmask 255.255.255.255 [the dns keyword tells the pix to do DNS doctoring for this translation because DNS resolves to the public IP]

static (dmz,inside) 123.123.123.123 192.168.1.1 netmask 255.255.255.255 [allows internal hosts to connect to the public IP found in DNS and translates it to the private IP on the way to the DMZ]