Trying to understand Alias and migrating away from it
I'm in the process of getting ready for a firewall upgrade that involves changing from our current PIX515Es running 7.0(6) going to a pair of ASA5520s running 7.2(3). I haven't been too involved with the firewalls as of yet simply because they were in place when I started my position abot 4 months ago and haven't had to do many updates.
I've come across the "alias" commands. I did some research and found that this command is used to re-write DNS requests. As I look at the firewall config, I get a little bit confused. Some of the alias commands have the external IP followed by the internal, and others have the internal IP listed first followed by the external. Example:
alias (inside) <external> 192.168.3.35 255.255.255.255
alias (inside) 10.20.40.65 <external> 255.255.255.255
I've read the cisco documentation on the alias command as well as did some web surfing and I just dont get the difference between the two. Can someone please help?
I'm trying to eliminate these alias commands by converting them to NAT statements with the dns tag because this is what Cisco recommends i guess. Our primary DNS server sits in the DMZ.
So, what I'm doing is somthing similar to the following, In order to allow external access to 192.168.3.18 and still have DNS for internal users resolve to the 192.168.3.18 address instead of the external:
static (inside,DMZ) <external> 192.168.3.18 netmask 255.255.255.255 dns
I did a test and it seems to do the trick... But i dont want to blow anything up when I actually cut the firewalls over to the new appliances because I don't understand how the alais command works.
How would I handle the alias commands that have their internal IP listed first followed by external? That's where I get confused.
Another weird thing I've come across, there are static NAT translations that NAT to themselves(!) Below are the commands from the production firwall that allows external access to inside host 10.20.80.80 while making sure DNS replies to inside hosts still refer to the internal IP address:
The DNS re-writing doesnt work unless the 3rd command is in place.
Someone mentioned to me that they are needed because without them, for some reason when we upgraded to 7.0(6) from 6.3, the alias commands wouldn't work without them. This is only needed for internal hosts that are directly accessible from the internet. It doesn't matter what interfaces the static is pointing too, but it needs to be there. Does this sound right? Can I get rid of these translations when I migrate away from the alias commands? Thanks in advance. Any insight would really be appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...