Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
5
Helpful
4
Replies

alias command

subbarao.s
Level 1
Level 1

‎01-16-2004 08:02 PM - edited ‎03-09-2019 06:09 AM

is it possible to access a server in DMZ with both public IP (With DNAT by alias command) and private IP (With NAT0 while going from inside to DMZ with real ip of DMZ server)?

we got a requirement with PIX for....few hosts in inside netwrok (From the same subnet)should access DMZ server with real ip (Private) and and few others with Public ip address (Static translated from DMZ to outside).

Thanks for your time.

Labels:
0 Helpful
4 Replies 4

nkhawaja
Cisco Employee
Cisco Employee

‎01-17-2004 03:25 PM

I dont think it is possible. once alias command is in place, it will always try to do its function. u can try to do static translation with access-list along with DNAT , (not alias)

subbarao.s
Level 1
Level 1
In response to nkhawaja

‎01-17-2004 09:01 PM

I dont understand the difference between doing DNAT with alias command and static command, is there any difference?

could u post the configuration that u think?

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to subbarao.s

‎01-18-2004 07:23 PM

Hi,

Basically ,functioning wise, no difference. BUT

using DNAT, you have the luxury to define access-lists in your static translation which you cant do otherwise with Alias.

basically you need to combine policy nat (as per this link http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601) with DNAT

DNAT is nothing more than using a static translation like this

static (high,low)

I am just giving you an idea, need to work on the exact example though

0 Helpful

subbarao.s
Level 1
Level 1
In response to nkhawaja

‎01-19-2004 11:39 PM

Hi Nadeem,

The below works on PIX515E-UR with 6.3(3).

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security4

names

name 192.168.2.10 WWW-MAIL-DNS

name 192.168.1.100 pdm-inside

name 210.210.210.50 PUBLICMAILServer

access-list nonat permit ip host pdm-inside host WWW-MAIL-DNS

access-list nonat permit ip host pdm-inside host PUBLICMAILServer

ip address outside 210.210.210.1 255.255.255.0

ip address inside 192.168.1.250 255.255.255.0

ip address DMZ 192.168.2.250 255.255.255.0

global (outside) 1 201.201.201.100

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (DMZ,outside) PUBLICMAILServer WWW-MAIL-DNS netmask 255.255.255.255 0 0

alias (inside) 210.210.210.50 192.168.2.10

conduit permit icmp any any echo-reply

route outside 0.0.0.0 0.0.0.0 210.210.210.200 1

Above configuration is with "alias" for DNAT.

I also tried the DNAT by static Command as below

static (DMZ,inside) 210.210.210.50 192.168.2.10

In either case result is same. I can access DMZ server with both public (210.210.210.50) and private (192.168.2.10) with most of the services running on TCP and UDP. Only PING fails with real ip. Anyway PING is not required for customer.

If I am not mistaken syntax for DNAT with static is

static (low,high)

is nt it? Please update me if there any problem with the above config.

Thanks for your time.

Subba

0 Helpful
Customers Also Viewed These Support Documents