Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with alias

Mister

I have PIX with version 6.2 . Without alias command , i get access by only ip address , noy by name , from Inside . But , when I put the "alias" command , loose all access at DMZ , except ping .But telnet , and web not function , event with the real world .

What I doing bad .

Best Regards

3 REPLIES

Re: Problem with alias

Hi,

sorry, but what exactly are you trying to do? Are you trying to reach a server on the dmz using the dns name of the server? Where is you dns server located? What is the real ip address of the server in the dmz zone and what is the address given by the dns server?

More info can be found on this url:

http://www.cisco.com/warp/public/110/alias.html

Kind Regards,

Tom

New Member

Re: Problem with alias

I'm having a very similar problem too!

The PIX is currently in the lab and I have a laptop on the DMZ acting as a www server, I'm using CSPM to create the ACL's and currently have permit all IP to the internal subnets from the DMZ network (192.168.17.0). The PC's on the 'intranet' access the www servers using the real ip address so I need to use the Alias command to Destination NAT. WITHOUT the Alias commands in the running config the www server has full access to the intranet as expected, as soon as I issue the alias command (then clear x) the www server loses all IP access to the intranet. This is confirmed by the PIX showing 'deny icmp src DMZ-slot:3......' etc.

I'm using the capture command to show all IP packets arriving on the DMZ interface and all looks well.

???

New Member

Re: Problem with alias

I've just changed the ACL on the DMZ to permit ip any any. This now allows the www server to perform DNS lookups on the internal subnet. The packets show a source address of the registered network, so I obviously need to amend the ACL's to allow the source address of the registrered addresses. I can't do this using CSPM though as CSPM isn't aware of the alias commands and therefore the additional ACL's entried that need to go with it. I guess I can manually amend the ACL's within CPSM. Back to the help!

139
Views
0
Helpful
3
Replies