cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
289
Views
0
Helpful
2
Replies

DNS doctoring ALIAS replacement with newer bi-directional NAT commands?

terryv94
Level 1
Level 1

I have for used the alias command on the pix at my house to make one simple "dns doctor" for my home's terminal/web server. Here is an excerpt from my current config:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 192.168.1.201 x.x.x.x 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0

works great as I can always reach my internal server from the inside by the DNS name given on an Internet DNS server. I've never been able to use most of PDM because of no "alias" command support. Newest version of PDM recommends migrating alias to new outside NAT commands. I noticed the NAT also has a DNS option but can't really find any good documentation or examples, what would be the replacement nat line be for my alias? Does it really work for dns doctoring and replace the alias command? Thanks!

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

Just remove the alias command and add another static to be:

> static (inside,outside) interface 192.168.1.201 dns netmask 255.255.255.255 0 0

Should be all you need. You still have to have the port static that you specify, since you can't add a DNS option onto a port static, I'm assuming that the only DNS replies that have the PIX outside interface in them would be from your machine doing a lookup for the www server, so it should be OK. Make sure you're running 6.2 code though.

Documentation is here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026694

Read the document for the DNS option stating "Specifies that DNS replies that match the xlate are translated." and tried it on my 501 by clearing the exisitng alias and using the format in your reply. It seemed to kill DNS from my internal machines altogether. I also found that even after a clear xlate I had to reload the pix to get DNS back on internal machines. I'm running the latest 6.3 code and PDM beta. Tried it twice with the same result.

Just to fully clarify what I'm trying to achieve: I have cable modem that never changes IP but I am still using the dhcp client option on the pix outside interface. I have the appropriate access lists, statics, etc for internal web servers and terminal servers on different machines using PAT static redirection. I use the alias (along with noproxyarp) so I can reach the machines by their local private address even though the remote dns is providing internal machines with the external IP of the PIX (which of course I can't reach from the inside) Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: