cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
411
Views
0
Helpful
1
Replies

Trying to understand Alias and migrating away from it

rtjensen4
Level 4
Level 4

Hello,

I'm in the process of getting ready for a firewall upgrade that involves changing from our current PIX515Es running 7.0(6) going to a pair of ASA5520s running 7.2(3). I haven't been too involved with the firewalls as of yet simply because they were in place when I started my position abot 4 months ago and haven't had to do many updates.

I've come across the "alias" commands. I did some research and found that this command is used to re-write DNS requests. As I look at the firewall config, I get a little bit confused. Some of the alias commands have the external IP followed by the internal, and others have the internal IP listed first followed by the external. Example:

alias (inside) <external> 192.168.3.35 255.255.255.255

OR

alias (inside) 10.20.40.65 <external> 255.255.255.255

I've read the cisco documentation on the alias command as well as did some web surfing and I just dont get the difference between the two. Can someone please help?

I'm trying to eliminate these alias commands by converting them to NAT statements with the dns tag because this is what Cisco recommends i guess. Our primary DNS server sits in the DMZ.

So, what I'm doing is somthing similar to the following, In order to allow external access to 192.168.3.18 and still have DNS for internal users resolve to the 192.168.3.18 address instead of the external:

This would be accomplished via alias command by:

static (DMZ,outside) <external> 192.168.3.18 netmask 255.255.255.255

alias (inside) <external> 192.168.3.18

BUT

I want to do this by Using NAT:

!NAT Translation for external access

static (DMZ,outside) <external> 192.168.3.18 netmask 255.255.255.255

!NAT Translation for DNS re-write inside.

static (inside,DMZ) <external> 192.168.3.18 netmask 255.255.255.255 dns

I did a test and it seems to do the trick... But i dont want to blow anything up when I actually cut the firewalls over to the new appliances because I don't understand how the alais command works.

How would I handle the alias commands that have their internal IP listed first followed by external? That's where I get confused.

Another weird thing I've come across, there are static NAT translations that NAT to themselves(!) Below are the commands from the production firwall that allows external access to inside host 10.20.80.80 while making sure DNS replies to inside hosts still refer to the internal IP address:

static (inside,outside) <external> 10.20.80.80 netmask 255.255.255.0

alias (inside) 10.20.80.80 <external> 255.255.255.255

static (inside,dmz) 10.20.80.80 10.20.80.80 netmask 255.255.255.255

The DNS re-writing doesnt work unless the 3rd command is in place.

Someone mentioned to me that they are needed because without them, for some reason when we upgraded to 7.0(6) from 6.3, the alias commands wouldn't work without them. This is only needed for internal hosts that are directly accessible from the internet. It doesn't matter what interfaces the static is pointing too, but it needs to be there. Does this sound right? Can I get rid of these translations when I migrate away from the alias commands? Thanks in advance. Any insight would really be appreciated.

1 Reply 1

jbayuka
Level 5
Level 5

Refer to the document ASA 7.x/PIX 6.x and Above: Open/Block the Ports Configuration Example for more information

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: