Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Alias Command

Does the FWSM utilize the Alias command? I am trying to put an FTP server on the DMZ interface where inside and outside user can access it. Can this alias command accomplish this?

2 REPLIES
Cisco Employee

Re: Alias Command

The alias command has been deprecated for a while now, although you can still use it on the PIX there is a preferred way to do it using static's now.

It sort of depends on how you want to do this though, and where your DNS server is positioned.

Let's assume that outside users connect to it via a global IP address (1.1.1.1) that has a static translation through to the actual server IP address on the DMZ interface (10.1.1.1). So they work fine just conencting to the global address.

Now, for your inside users, there's three scenarios that could happen.

First is that you have an internal DNS server on the inside interface, and when inside users look up the FTP server's name the inside DNS server returns it's actual private IP address. In this case you don't really need to do anything other than allow traffic to pass from the inside to the dmz.

Second is that you have an internal DNS server on the inside interface, and when inside users look up the FTP server's name the inside DNS server returns its global IP address, the same one that outside users use to connect to it. In this case you need to use destination-NAT, where you NAT the destination IP address of a packet as it goes through the FWSM (normal NAT changes the source IP address). The command is as follows:

static (dmz,inside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255

Note the interface names are swapped around from a normal static. The above command says if you see a packet on th einside interface destined for 1.1.1.1, change the destination to 10.1.1.1 and send it out the dmz interface.

Third scenario is that you have a DNS server on the dmz interface, and when inside users look up the FTP server's name this DNS server returns its global IP address, the same one that outside users use to connect to it. In this case you simply need to have the FWSM change the DNS reply from 1.1.1.1 to 10.1.1.1, so that the inside PC's will connect straight to it. The command for this is a normal static with the "dns" option appended as such:

static (inside,dmz) 1.1.1.1 10.1.1.1 netmask 255.255.255.255 dns

Hope that helps.

New Member

Re: Alias Command

That helped out alot. Thank you very much.....

109
Views
0
Helpful
2
Replies
CreatePlease login to create content