Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Replacement for Alias command on Ver 7.04

Hi,

I have an Web server placed on a DMZ which has to be accessed for the outside and inside interfaces using DNS. (External DNS servers).

Public IP 62.x.x.x

DMZ Server IP 192.168.0.100

Inside IP 10.0.0.0 255.0.0.0

External access works fine. However internal access is working with the alias command. This restricts access to the ASA Appliance using the ASDM as the command is not supported.

I have tried unsuccessfully replacing the alias command with a static as below.

alias (inside) 62.x.x.x 192.168.0.100

static (dmz,Inside) 62.x.x.x 192.168.0.100 dns

Web server access from Inside to DMZ only works with the alias command. Any suggestions would be appreciated.

Thanks

Ian.

7 REPLIES
New Member

Re: Replacement for Alias command on Ver 7.04

This problem actually stems from an incorrectly configured DNS server - or you are using public DNS servers.

I have run into this a couple of times in my travels and there is only one real solution - configure DNS to provide the real IP address of the servers in the DMZ to the internal users. In short, internal DNS should provide the private address for DMZ servers.

-Mark

New Member

Re: Replacement for Alias command on Ver 7.04

Mark,

Thanks for the reply. However please note that public dns servers are being used.

Access to the DMZ based Web server from hosts located on the inside using external domain name is working with the alias command.

I need to replace the alias command with a command recognised by ASDM.

Ian.

New Member

Re: Replacement for Alias command on Ver 7.04

You're not far off.

Miss the 'dns' keyword off the end of the NAT statement.

I think if that doesn't work there is something else causing the problem. I have used it in a similar situation using only external DNS.

If it still doesn't work, need to look elsewhere. Test by using the EXTERNAL ip address first (rather than resolving DNS). This should work too with the same command.

New Member

Re: Replacement for Alias command on Ver 7.04

Actually I think the DNS keyword is used when the inside users are using a DNS server in the DMZ. When the DNS server is on the outside and the web server is in the DMZ the dns keyword does not perform the functions you are thinking of. This is because the DNS lookups are not traveling in the same direction as the static commands.

Best fix is to start hosting your own internal DNS with A records for the DMZ servers. This easy to do as you probably have A windows 2000 server runnning DHCP. Just enable DNS and point your PCs to this DNS server. Also put the root servers in the DNS server. This will also make lookups faster because frequently accessed domains will be cached on the local DNS server.

Worst case scenario - host files on the inside network. yuck.

-Mark

New Member

Re: Replacement for Alias command on Ver 7.04

Thanks for all of the suggestions. However removing the 'dns' keyword off the end of the NAT statement has resolved the issue when accessing the DMZ Web Server from the Inside.

Thanks

Ian

New Member

Re: Replacement for Alias command on Ver 7.04

Thanks for the rating :-)

New Member

Re: Replacement for Alias command on Ver 7.04

In my experience I have seen that the "static ... dns" command works very well with PixOS 7, maybe better then in previous releases.

You have to remove both the "alias (inside)" and the "static (dmz,inside).." lines, and modify the static nat statement for publishing the DMZ server outside as follows:

static (dmz,outside) 62.x.x.x 192.168.0.100 dns

This is already needed for publishing in internet your server and is all what you need. As you can read in documentation, when the PIX detects a DNS query to an external DNS server related to a static with dns, it translates the A record in the answer to match the internal IP address of the server. This works wherever the inside server and the inside client are, they can be connected to different internal interfaces.

Obviously your internal clients will resolve the server name to its internal private address, but I believe this shouldn't be a problem.

I often use such a configuration with no problem. Try and let me know if I could help you.

141
Views
0
Helpful
7
Replies
CreatePlease login to create content