Cisco Support Community
Community Member

alias command

is it possible to access a server in DMZ with both public IP (With DNAT by alias command) and private IP (With NAT0 while going from inside to DMZ with real ip of DMZ server)?

we got a requirement with PIX for....few hosts in inside netwrok (From the same subnet)should access DMZ server with real ip (Private) and and few others with Public ip address (Static translated from DMZ to outside).

Thanks for your time.


Re: alias command

I dont think it is possible. once alias command is in place, it will always try to do its function. u can try to do static translation with access-list along with DNAT , (not alias)

Community Member

Re: alias command

I dont understand the difference between doing DNAT with alias command and static command, is there any difference?

could u post the configuration that u think?


Re: alias command


Basically ,functioning wise, no difference. BUT

using DNAT, you have the luxury to define access-lists in your static translation which you cant do otherwise with Alias.

basically you need to combine policy nat (as per this link with DNAT

DNAT is nothing more than using a static translation like this

static (high,low)

I am just giving you an idea, need to work on the exact example though

Community Member

Re: alias command

Hi Nadeem,

The below works on PIX515E-UR with 6.3(3).

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security4



name pdm-inside


access-list nonat permit ip host pdm-inside host WWW-MAIL-DNS

access-list nonat permit ip host pdm-inside host PUBLICMAILServer

ip address outside

ip address inside

ip address DMZ

global (outside) 1

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

static (DMZ,outside) PUBLICMAILServer WWW-MAIL-DNS netmask 0 0

alias (inside)

conduit permit icmp any any echo-reply

route outside 1

Above configuration is with "alias" for DNAT.

I also tried the DNAT by static Command as below

static (DMZ,inside)

In either case result is same. I can access DMZ server with both public ( and private ( with most of the services running on TCP and UDP. Only PING fails with real ip. Anyway PING is not required for customer.

If I am not mistaken syntax for DNAT with static is

static (low,high)

is nt it? Please update me if there any problem with the above config.

Thanks for your time.


CreatePlease to create content