Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 520 3 PORT VERSION 6.0(1)

I have a pix 520 with 3 ports, at the DMZ there is a web server,I use the static command to allow outside user access the web server,To allow inside user access the web server correctly,I use the alias command to resolve the domain name to DMZ IP address 192.168.1.253.

The question is when I use alias command to resolve the domain name , it works well,the domain ip address isn't the global ip address 211.99.175.50.

but the inside user cann't access the webserver.

at this time,I ping the 192.168.1.253, the pix nat it to the outside pool,but if I ping the 192.168.1.252 etc. the pix nat it to the DMZ .

If I don't use the alias command, when i ping the 192.168.1.253, the pix nat it to the DMZ,that is correct,but you know ,the inside user cann't access the webserver correctly at this time.

What can I do,I need your help

Duzaidong , Thanks

2 REPLIES
New Member

Re: PIX 520 3 PORT VERSION 6.0(1)

I'm not sure I completely understand your situation. However, the behavior of the PIX, using the alias command, has changed in 6.0(1). In 6.0(1), when you use the alias command to DNS fixup (which you are trying to do), the PIX interface will now proxy-arp for the aliased address. This is useful if you are using the alias command for destination NAT, but causes DNS fixup to not work.

After you have implemented the alias command, do a show arp and check the MAC address that is associated with your alias address. You may find that it is one of the PIX interfaces (inside or DMZ). If so, then enabling sysopt noproxyarp (PIX_interface) will resolve the issue.

HTH

Jeff

New Member

Re: PIX 520 3 PORT VERSION 6.0(1)

Thanks for your help

According your instruction,I try again but the problem still isn't solved.

when I ping the domain name, The alias command works well, It can transfer the DNS to DMZ address, But the Nat still direct the traffic to the outside interface.

231
Views
0
Helpful
2
Replies
CreatePlease login to create content