Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Alias on Pix 6.22, Here we go again....

Hi everybody.

I've been searching these forum-pages, and found a lot about alias, but I haven't been able to cover "my" senario:

Here is the point:

How do I configure the Pix, doing Alias when the "Public" DNS servers are located on a DMZ, with "Internal" IP adresses.

I am doing NAT to the outside, and would like the Pix to "fix up" the Internal IP adresses on the dns-servers to be shown as external IP-Adresses.

Again, the Internal IP adresses in the dns-servers (in DMZ) must be converted into external ip-adresses (outside) by the pix, when someone are doing DNS lookup from the Internet.

Hope you can help.

Greetings

Jarle

5 REPLIES

Re: Alias on Pix 6.22, Here we go again....

Hi,

have a look at this page:

http://www.cisco.com/warp/public/110/alias.html

It explains the use of the 'alias' command which is used for 'DNS Doctoring' and 'Destination NAT'.

If you have any more questions, don't hesitate to post them.

Kind Regards,

Tom

New Member

Re: Alias on Pix 6.22, Here we go again....

I guess, what i want to do is the DNS Doctoring.

But how do i do this on the outside Interface?

The Zones created on the DNS-Servers in DMZ contain the "real" internal IP addresses of the web and mail-servers (also in the same DMZ).

But these must be translated into the "Public" ip Adresses, when someone does a DNS Lookup from Internet.

The translations are done as following:

10.0.0.1 -> 195.141.1.1 =www.mydomain.com

10.0.0.2 -> 195.141.1.2 =smtp.mydomain.com

10.0.0.3 -> 195.141.1.3 = ns1.mydomain.com

10.0.0.4 -> 195.141.1.4 = ns2.mydomain.com

how should the alias command look like?

sysopt noproxyarp outside

alias (outside) 195.141.1.1 10.0.0.1 255.255.255.255

alias (outside) 195.141.1.2 10.0.0.2 255.255.255.255

alias (outside) 195.141.1.3 10.0.0.3 255.255.255.255

alias (outside) 195.141.1.4 10.0.0.4 255.255.255.255

Is this correct?

regards

Jarle

Cisco Employee

Re: Alias on Pix 6.22, Here we go again....

Yep, that looks about right. The 2nd IP address in the alias command is the IP address that is actually in the DNS reply, which the PIX then changes to the 1st IP address.

Can't say I've ever tried it this way, but it should work.

New Member

Re: Alias on Pix 6.22, Here we go again....

Tanx again, but ....

it still does not work. I just tested it

(with the comman sysopt noproxyarp outside included).

Any other idea how it kould work?

Is it at supported what i'm trying to do?

New Member

Re: Alias on Pix 6.22, Here we go again....

Hi again

I've just been talking to TAC, and they have informed me that it is not possible to do DNS-Doctoring to the outside interface on the pix.

That means: This configuration is not possible, the DNS Servers has to be placed on the outside of the Pix or on a DMS without any Nat to the outside.

114
Views
0
Helpful
5
Replies
CreatePlease to create content