Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Alias to reach a dmz server - Help!

Hi all.

My Customer has a Pix with many public servers on the inside network. They use the alias command to do DNS Doctoring and access the servers from the inside using their domain name. The inside network has a private address and the configuration works fine.

Now they're planning to move the servers to the DMZ and still want to be able to reference the servers with their domain name, but I have problems implementing the alias command as illustrated in

Neither DNS doctoring nor Destination Nat work and when I deploy the alias command the customer say they cannot even access the server using its private address!!!

First of all: should I use DNS doctoring (i.e. alias (inside) A.B.C.100 or Destination Nat (i.e. alias (inside) A.B.C.100 ?

Is there any other option I should enable (e.g. sysopt nodnsalias)?

Please find my config attached. It does not contain the alias for the dmz server, but the Customer is able to access the server using the private address.

Thank you very much for you help!


pix# wr t

Building configuration...

: Saved


PIX Version 5.1(5)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password ************** encrypted

passwd ************** encrypted

hostname pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

no fixup protocol smtp 25

no names

access-list nonat permit ip any

access-list nonat permit ip any host A.B.C.100

access-list dmz permit icmp any any

pager lines 40

logging on

logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered debugging

logging trap debugging

logging history debugging

logging facility 18

logging queue 512

no logging message 106014

no logging message 106006

no logging message 305003

no logging message 305002

no logging message 303002

no logging message 302002

no logging message 304001

no logging message 302001

no logging message 302006

no logging message 302005

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside A.B.C.126

ip address inside

ip address dmz

ip verify reverse-path interface outside

no failover

failover timeout 0:00:00

failover ip address outside

failover ip address inside

failover ip address dmz

arp timeout 14400

global (outside) 1 A.B.C.124 netmask

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

nat (dmz) 1 0 0

alias (inside) A.B.C.40

!<many more aliases for the internal servers>

static (inside,outside) A.B.C.7 netmask 0 0

!< many more static (inside,outside)>

static (dmz,outside) A.B.C.100 netmask 0 0

access-group dmz in interface dmz

conduit permit tcp host A.B.C.11 eq smtp any

!<many more conduit statements>

outbound 10 permit 4444 tcp

!<many more outbound statements>

apply (inside) 10 outgoing_src

rip outside passive version 1

rip outside default version 1

rip inside passive version 1

rip inside default version 1

rip dmz passive version 1

rip dmz default version 1

route outside A.B.C.125 1

timeout xlate 0:05:00 conn 0:05:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:05:00 h323 0:05:00

timeout uauth 0:02:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps

floodguard enable

sysopt security fragguard

sysopt connection enforcesubnet

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

service resetinbound

isakmp identity hostname

telnet inside

telnet inside

telnet inside

telnet inside

telnet timeout 5

terminal width 80

: end



  • Other Security Subjects
Cisco Employee

Re: Alias to reach a dmz server - Help!

If the WWW server is on the DMZ, then you should use Destination NAT. This way the clients will try and connect to the actual global address of the server, and the PIX will intercept this as the packet goes out and change the destination to the address on the DMZ interface. You need to make sure you remove the alias command that does the DNS Doctoring though, don't have both otherwise you'll get strange things happening.

The comand you probably want is as follows:

> alias (inside) A.B.C.40

but make sure you remove the:

> alias (inside) A.B.C.40

command first.

New Member

Re: Alias to reach a dmz server - Help!

Glenn, Thank you very much for your tip!

Managed to implement Destination Nat, but only using the global (dmz) command. My first intent was not to use nat between the inside and the DMZ but this did not work if the alias was configured. I'm not sure why.

Here's my current (working) config:

ip address inside

ip address dmz


global (dmz) 1 netmask

nat (inside) 1 0 0


alias (inside) A.B.C.100

Well, I have another problem now.

The Customer is happy to access the dmz web server using the domain name, but still wants to manage it (Terminal Services) using its *private* address, as they used to do when the server was in the inside. They say they cannot do this. Is this an expected behaviour?

Thank you