Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


Trying to understand Alias and migrating away from it


I'm in the process of getting ready for a firewall upgrade that involves changing from our current PIX515Es running 7.0(6) going to a pair of ASA5520s running 7.2(3). I haven't been too involved with the firewalls as of yet simply because they were in place when I started my position abot 4 months ago and haven't had to do many updates.

I've come across the "alias" commands. I did some research and found that this command is used to re-write DNS requests. As I look at the firewall config, I get a little bit confused. Some of the alias commands have the external IP followed by the internal, and others have the internal IP listed first followed by the external. Example:

alias (inside) <external>


alias (inside) <external>

I've read the cisco documentation on the alias command as well as did some web surfing and I just dont get the difference between the two. Can someone please help?

I'm trying to eliminate these alias commands by converting them to NAT statements with the dns tag because this is what Cisco recommends i guess. Our primary DNS server sits in the DMZ.

So, what I'm doing is somthing similar to the following, In order to allow external access to and still have DNS for internal users resolve to the address instead of the external:

This would be accomplished via alias command by:

static (DMZ,outside) <external> netmask

alias (inside) <external>


I want to do this by Using NAT:

!NAT Translation for external access

static (DMZ,outside) <external> netmask

!NAT Translation for DNS re-write inside.

static (inside,DMZ) <external> netmask dns

I did a test and it seems to do the trick... But i dont want to blow anything up when I actually cut the firewalls over to the new appliances because I don't understand how the alais command works.

How would I handle the alias commands that have their internal IP listed first followed by external? That's where I get confused.

Another weird thing I've come across, there are static NAT translations that NAT to themselves(!) Below are the commands from the production firwall that allows external access to inside host while making sure DNS replies to inside hosts still refer to the internal IP address:

static (inside,outside) <external> netmask

alias (inside) <external>

static (inside,dmz) netmask

The DNS re-writing doesnt work unless the 3rd command is in place.

Someone mentioned to me that they are needed because without them, for some reason when we upgraded to 7.0(6) from 6.3, the alias commands wouldn't work without them. This is only needed for internal hosts that are directly accessible from the internet. It doesn't matter what interfaces the static is pointing too, but it needs to be there. Does this sound right? Can I get rid of these translations when I migrate away from the alias commands? Thanks in advance. Any insight would really be appreciated.

  • Firewalling

Re: Trying to understand Alias and migrating away from it

Refer to the document ASA 7.x/PIX 6.x and Above: Open/Block the Ports Configuration Example for more information

This widget could not be displayed.