PIX515E 6.3(1) PDM 3.0 and alias command problems...
I have a PIX515E running 6.3(1). It was configured when I started this postion and is currently up and running 24/7 at our site. I am trying to enable the builtin PDM but have come across a snag. When I try to connect and launch the PDM I receive the message below and have been unable to find Cisco documentation that outlines a fix. Any help would be appreciated.
Here is the message I receive from the PDM::
"PDM has encountered a firewall configuration command statement that PDM does not support. Cofiguration parsing has been stopped. PDM access is now limited to the Home and Monitoring views durring the current session. To regain access to the rest of PDM, use the commmand line interface window to fix the unsupported command statement and then refresh PDM with the modified firewall configuration.
PDM does not support the 'alias' command in your configuration.
Cisco recommends that you consider migrating from the 'alias' command to the newer 'outside nat' feature (also know as bi-directional nat), which provides functionality equivalent to that of the 'alias' command. PDM fully supports 'outside nat' configurations. Please review the latest PIX firewall command reference for more information on this command."
Here is an example of the alias commands used...
alias (inside) 22.214.171.124 webserver1 255.255.255.255
It's difficult to say from your command which use of the alias command you're implementing, but I'm guessing it's for Destination NAT'ing (not DNS Doctoring), where your users are accessing this web server using the 126.96.36.199 address and the PIX is sending this onto the IP address used by the "webserver1" name on a DMZ segment.
If that is indeed the case, then you can use the new form of the static command instead and get rid of the alias commands.
For your above example, and assuming "webserver1" is an IP address on the interface called "dmz", then you would add:
This says that if I see a packet on the inside interface addressed to 188.8.131.52, then send it to "webserver1" on the dmz interface. You should "clear xlate" after adding this and removing the associated alias command.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...