Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX515E 6.3(1) PDM 3.0 and alias command problems...


I have a PIX515E running 6.3(1). It was configured when I started this postion and is currently up and running 24/7 at our site. I am trying to enable the builtin PDM but have come across a snag. When I try to connect and launch the PDM I receive the message below and have been unable to find Cisco documentation that outlines a fix. Any help would be appreciated.

Here is the message I receive from the PDM::

"PDM has encountered a firewall configuration command statement that PDM does not support. Cofiguration parsing has been stopped. PDM access is now limited to the Home and Monitoring views durring the current session. To regain access to the rest of PDM, use the commmand line interface window to fix the unsupported command statement and then refresh PDM with the modified firewall configuration.

PDM does not support the 'alias' command in your configuration.

Cisco recommends that you consider migrating from the 'alias' command to the newer 'outside nat' feature (also know as bi-directional nat), which provides functionality equivalent to that of the 'alias' command. PDM fully supports 'outside nat' configurations. Please review the latest PIX firewall command reference for more information on this command."

Here is an example of the alias commands used...

alias (inside) webserver1

Thank you,


Cisco Employee

Re: PIX515E 6.3(1) PDM 3.0 and alias command problems...

First off, the alias command is used for two different purposes as outlined here:

It's difficult to say from your command which use of the alias command you're implementing, but I'm guessing it's for Destination NAT'ing (not DNS Doctoring), where your users are accessing this web server using the address and the PIX is sending this onto the IP address used by the "webserver1" name on a DMZ segment.

If that is indeed the case, then you can use the new form of the static command instead and get rid of the alias commands.

For your above example, and assuming "webserver1" is an IP address on the interface called "dmz", then you would add:

static (dmz,inside) webserver1 netmask

This says that if I see a packet on the inside interface addressed to, then send it to "webserver1" on the dmz interface. You should "clear xlate" after adding this and removing the associated alias command.