Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Another 'alias' with ACL question

From the Examples section for the 'alias' command in the 6.2 command ref:


In the next example, a web server is on the inside at and a static command statement was created for it at The source host is on the outside with address A DNS server on the outside has a record for as follows: INA

The period at the end of the domain name must be included.

The alias command follows:


PIX Firewall doctors the nameserver replies to for inside clients to directly connect to the web server.

The static command statement is as follows:

static (inside,outside)

The access-list command statement you would expect to use follows:

access-list acl_grp permit tcp host host eq telnet

====> I understand everything up to here <====

But with the alias command, use this command:

access-list acl_grp permit tcp host eq telnet host


...I do not understand why the source and destination terms in the ACL are simply swapped. Another thread here says that, for traffic arriving on an interface, ACLs are processed again, why the swap? (I'm assuming the ACL is applied inbound on the outside interface).

New Member

Re: Another 'alias' with ACL question

I remember this workaround was introduced when the PIX started supporting multiple DMZ interfaces. I don't think reversing the addresses is required on a two interface PIX where the acl is permitting traffic to the inside. I would test it the other way first and if it works, provide feedback to the TAC on this document. I wish the alias command just did DNAT like it was originally designed and another command was used to fixup dns but that's not the case now.

CreatePlease login to create content