Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list and alias in PIX firewall


I need an advice regarding access-list used altogether with alias command.

There are two hosts: host A in internal segment - real IP is and host B in DMZ segment - real IP is Both alias and static commands are being used here:

alias (internal)

static (internal,dmz) netmask

The reasons are DNS record for host B must be from network and no route information about internal network should be published in DMZ (even static route).

I want to use access-list to permit the traffic between A and B and implement it in both internal and dmz interface. But I'm not very clear, should I use alias address or real address?

Going back to the example above, should I use:

access-list dmz permit ip host host


access-list dmz permit ip host host

or both statement?

and how about the access-list inside command?

Another question regarding access-list in PIX

if I use access list in one side, do I need to create mirrored access list in the other side for the return packet?

Thank you so much.



Re: Access-list and alias in PIX firewall

This is what I have understood from your description: You have a network setup as drawn below and you want to allow Host A to access your web server (Host B) on your DMZ. Further, the DNS server is located on the outside.




|------------------------DNS server




PIX -------------------------HOST B (Web Server; IP

| (DMZ)








If what I have understood is right, then it is possible that the present configuration is wrong. Lets see why! Lets assume that your web server's (Host B) global address is a.b.c.d and that the url is A dns request from the outside (Internet) to the DNS for, will return the IP a.b.c.d. The external host can now access your web server (Host B) with this IP. If someone sitting on the inside (Host A) makes the same DNS request, the IP returned by the DNS server will be the same IP a.b.c.d. This is where the problem comes. No translation exists for this address between the inside and DMZ. This is precisely why the alias command is configured. By configuring the following alias command, the IP address a.b.c.d returned by the DNS server, will be replaced by Thus the Host A on the inside will learn that server is accessible at ip

alias (inside) a.b.c.d

More information on alias command is available at the URL

With this setup, the userA on the inside interface (security level 100) will have access to all resources (Server) on the DMZ (security level 50). Remember, with the most basic configuration in place (IP addresses, route and nat) connections initiated from an interface at a higher security level to a lower security level interface are allowed by default. Thus if the user on the inside (Host A) sends a http request to the server on the DMZ (Host B), the request is allowed through and all traffic sent in response by the server is allowed through to the Host A.

To allow traffic belonging to sessions initiated by HostB (lower security level) to reach Host A (Higher security level), use the access list or conduit permit statement. This access list must use internal/private addresses only, ie and in our example. In addition, Host A must be statically natted or natting should be disabled between Inside and DMZ for this address.

For more information on configuring the PIX firewall (Basic Commands), visit the following URL:

New Member

Re: Access-list and alias in PIX firewall

Your network diagram is correct only that the DNS server is located in inside interface. It's purpose is to serve internal users only and not accessible from the outside. When host A in inside network makes DNS request for host B, DNS server will return with IP address for host B. Host A will now send packets with dest. address When they come to PIX, they'll be natted into (by alias command).

To avoid using static route in host B, static command is needed:

static (internal,dmz) netmask

So host B 'think' that host A has IP address PIX will then translate the dest. address in return packet from to

Now my problem is should I use the real address or the translated address if I want to implement access-list in both diurection?

I tried to search the documentation and technical notes but couldn't find a definite answer.

New Member

Re: Access-list and alias in PIX firewall

For the access-list on the dmz you should have

acess-list xx permit xxx host host

you do not require any access-list for the return traffic as it is part of the same session.

on the inside by default you would not require an access-list to permit traffic to the dmz server as the comm is froma higher level to a lower security level. But if you have to be restrictive and define only particular type of traffic then use

access-list xx permit xxx host

Hope this helps

CreatePlease to create content