Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Another 'alias' with ACL question

From the Examples section for the 'alias' command in the 6.2 command ref: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid9

<snip>

In the next example, a web server is on the inside at 10.1.1.11 and a static command statement was created for it at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:

www.example.com. INA 209.165.201.11

The period at the end of the www.example.com. domain name must be included.

The alias command follows:

alias 10.1.1.11 209.165.201.11 255.255.255.255

PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.

The static command statement is as follows:

static (inside,outside) 209.165.201.11 10.1.1.11

The access-list command statement you would expect to use follows:

access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnet

====> I understand everything up to here <====

But with the alias command, use this command:

access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7

<snip>

...I do not understand why the source and destination terms in the ACL are simply swapped. Another thread here says that, for traffic arriving on an interface, ACLs are processed first...so again, why the swap? (I'm assuming the ACL is applied inbound on the outside interface).

1 REPLY
New Member

Re: Another 'alias' with ACL question

I remember this workaround was introduced when the PIX started supporting multiple DMZ interfaces. I don't think reversing the addresses is required on a two interface PIX where the acl is permitting traffic to the inside. I would test it the other way first and if it works, provide feedback to the TAC on this document. I wish the alias command just did DNAT like it was originally designed and another command was used to fixup dns but that's not the case now.

296
Views
0
Helpful
1
Replies
CreatePlease login to create content