Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Alias to reach a dmz server - Help!

Hi all.

My Customer has a Pix with many public servers on the inside network. They use the alias command to do DNS Doctoring and access the servers from the inside using their domain name. The inside network has a private address and the configuration works fine.

Now they're planning to move the servers to the DMZ and still want to be able to reference the servers with their domain name, but I have problems implementing the alias command as illustrated in http://www.cisco.com/warp/public/110/alias.html

Neither DNS doctoring nor Destination Nat work and when I deploy the alias command the customer say they cannot even access the server using its private address!!!

First of all: should I use DNS doctoring (i.e. alias (inside) 192.168.199.100 A.B.C.100 255.255.255.255) or Destination Nat (i.e. alias (inside) A.B.C.100 192.168.199.100 255.255.255.255) ?

Is there any other option I should enable (e.g. sysopt nodnsalias)?

Please find my config attached. It does not contain the alias for the dmz server, but the Customer is able to access the server using the private address.

Thank you very much for you help!

******************************

pix# wr t

Building configuration...

: Saved

:

PIX Version 5.1(5)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password ************** encrypted

passwd ************** encrypted

hostname pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

no fixup protocol smtp 25

no names

access-list nonat permit ip any 192.168.210.0 255.255.255.0

access-list nonat permit ip any host A.B.C.100

access-list dmz permit icmp any any

pager lines 40

logging on

logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered debugging

logging trap debugging

logging history debugging

logging facility 18

logging queue 512

no logging message 106014

no logging message 106006

no logging message 305003

no logging message 305002

no logging message 303002

no logging message 302002

no logging message 304001

no logging message 302001

no logging message 302006

no logging message 302005

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside A.B.C.126 255.255.255.128

ip address inside 192.168.204.1 255.255.255.0

ip address dmz 192.168.210.3 255.255.255.0

ip verify reverse-path interface outside

no failover

failover timeout 0:00:00

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

arp timeout 14400

global (outside) 1 A.B.C.124 netmask 255.255.255.128

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 192.168.204.40 A.B.C.40 255.255.255.255

!<many more aliases for the internal servers>

static (inside,outside) A.B.C.7 192.168.204.7 netmask 255.255.255.255 0 0

!< many more static (inside,outside)>

static (dmz,outside) A.B.C.100 192.168.210.100 netmask 255.255.255.255 0 0

access-group dmz in interface dmz

conduit permit tcp host A.B.C.11 eq smtp any

!<many more conduit statements>

outbound 10 permit 192.168.199.99 255.255.255.255 4444 tcp

!<many more outbound statements>

apply (inside) 10 outgoing_src

rip outside passive version 1

rip outside default version 1

rip inside passive version 1

rip inside default version 1

rip dmz passive version 1

rip dmz default version 1

route outside 0.0.0.0 0.0.0.0 A.B.C.125 1

timeout xlate 0:05:00 conn 0:05:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:05:00 h323 0:05:00

timeout uauth 0:02:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps

floodguard enable

sysopt security fragguard

sysopt connection enforcesubnet

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

service resetinbound

isakmp identity hostname

telnet 192.168.195.251 255.255.255.255 inside

telnet 192.168.195.252 255.255.255.255 inside

telnet 192.168.205.253 255.255.255.255 inside

telnet 192.168.205.254 255.255.255.255 inside

telnet timeout 5

terminal width 80

: end

[OK]

pix#

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: Alias to reach a dmz server - Help!

If the WWW server is on the DMZ, then you should use Destination NAT. This way the clients will try and connect to the actual global address of the server, and the PIX will intercept this as the packet goes out and change the destination to the address on the DMZ interface. You need to make sure you remove the alias command that does the DNS Doctoring though, don't have both otherwise you'll get strange things happening.

The comand you probably want is as follows:

> alias (inside) A.B.C.40 192.168.204.40 255.255.255.255

but make sure you remove the:

> alias (inside) 192.168.204.40 A.B.C.40 255.255.255.255

command first.

New Member

Re: Alias to reach a dmz server - Help!

Glenn, Thank you very much for your tip!

Managed to implement Destination Nat, but only using the global (dmz) command. My first intent was not to use nat between the inside and the DMZ but this did not work if the alias was configured. I'm not sure why.

Here's my current (working) config:

ip address inside 192.168.204.1 255.255.255.0

ip address dmz 192.168.210.3 255.255.255.0

!

global (dmz) 1 192.168.210.4 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!

alias (inside) A.B.C.100 192.168.210.100 255.255.255.255

Well, I have another problem now.

The Customer is happy to access the dmz web server using the domain name, but still wants to manage it (Terminal Services) using its *private* address, as they used to do when the server was in the inside. They say they cannot do this. Is this an expected behaviour?

Thank you

95
Views
5
Helpful
2
Replies