Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Convert Alias to NAT

I am working to convert a 6.3(1) config from conduit to ACL so I can upgrade the code. Output interpreter will not offer conversion suggestions because of an alias command in the config.

Situation: Static inbound nat from outside to dmz with destination nat for inside hosts to dmz

Inside hosts need to communicate with the public (outside) address of the DMZ server. We ARE NOT using DNS doctoring and cannot. This is a VoIP application, the VoIP hosts do not rely on hostnames. A working scenario is an ip phone that communicates with a VoIP gateway server in the DMZ, where the user carries the phone with them while travelling, but also uses it in the office on the inside network.

All Cisco docs that I find relate to using the dns command in the nat statements. The only other doc I find references the alias command and does not offer NAT alternatives.

This is a working config, but IP's are ficticious. Conduits and access lists are excluded.

Outside: 5.5.5.5

DMZ Host: 192.168.5.5

Inside: 10.10.10.0

alias (inside) 5.5.5.5 192.168.5.5 255.255.255.255

static (dmz,outside) 5.5.5.5 198.168.5.5 netmask 255.255.255.255

With these two statements, inside hosts are faked into thinking they are connecting to the dmz public address by the alias command.

The Cisco references that I find suggest using "outbound" nat, but only provide examples related to DNS requests (doctoring). Again, this is not a DNS capable situation.

How do I convert the alias command over to acheive the same result?

Thank you,

Jamison

2 REPLIES
Cisco Employee

Re: Convert Alias to NAT

So the hosts on the inside connect to the 5.5.5.5 address, which then get's changed to the 192.168.5.5 address and sent to the DMZ interface, correct?

The command you need is as follows:

static (dmz,inside) 5.5.5.5 192.168.5.5 netmask 255.255.255.255

Note how the interface names (dmz,inside) are the wrong way around from a "normal" static. This command says that if you see a packet on the inside interface destined for 5.5.5.5, change the destination to 192.168.5.5 and send it out the dmz interface. Hence "destination NAT'ing", not DNS Doctoring.

Note the above static only handles the traffic coming from the inside interface to the DMZ server, you still need your original static that you've shown in your original post to handle traffic from the outside to the dmz.

New Member

Re: Convert Alias to NAT

Simple enough. Works perfectly, thank you very much!

I still had to modify the matching conduits (soon to be acls). With alias, the conduit referred to the public (outside) address. With static, the conduit properly refers to the private (dmz) address.

The way you interpreted the static statement in plain english makes a ton more sense than Cisco NAT nomenclature [global/foreign/local/headache] :)

Thanks again!

Jamison

135
Views
9
Helpful
2
Replies
CreatePlease login to create content