Cisco Support Community
Community Member

DNS doctoring ALIAS replacement with newer bi-directional NAT commands?

I have for used the alias command on the pix at my house to make one simple "dns doctor" for my home's terminal/web server. Here is an excerpt from my current config:

global (outside) 1 interface

nat (inside) 1 0 0

alias (inside) x.x.x.x

static (inside,outside) tcp interface www www netmask 0 0

works great as I can always reach my internal server from the inside by the DNS name given on an Internet DNS server. I've never been able to use most of PDM because of no "alias" command support. Newest version of PDM recommends migrating alias to new outside NAT commands. I noticed the NAT also has a DNS option but can't really find any good documentation or examples, what would be the replacement nat line be for my alias? Does it really work for dns doctoring and replace the alias command? Thanks!

Cisco Employee

Re: DNS doctoring ALIAS replacement with newer bi-directional NA

Just remove the alias command and add another static to be:

> static (inside,outside) interface dns netmask 0 0

Should be all you need. You still have to have the port static that you specify, since you can't add a DNS option onto a port static, I'm assuming that the only DNS replies that have the PIX outside interface in them would be from your machine doing a lookup for the www server, so it should be OK. Make sure you're running 6.2 code though.

Documentation is here:

Community Member

Re: DNS doctoring ALIAS replacement with newer bi-directional NA

Read the document for the DNS option stating "Specifies that DNS replies that match the xlate are translated." and tried it on my 501 by clearing the exisitng alias and using the format in your reply. It seemed to kill DNS from my internal machines altogether. I also found that even after a clear xlate I had to reload the pix to get DNS back on internal machines. I'm running the latest 6.3 code and PDM beta. Tried it twice with the same result.

Just to fully clarify what I'm trying to achieve: I have cable modem that never changes IP but I am still using the dhcp client option on the pix outside interface. I have the appropriate access lists, statics, etc for internal web servers and terminal servers on different machines using PAT static redirection. I use the alias (along with noproxyarp) so I can reach the machines by their local private address even though the remote dns is providing internal machines with the external IP of the PIX (which of course I can't reach from the inside) Thanks!

CreatePlease to create content