Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

When to use the DNS option on Static Entries

Can anyone tell me when one needs to look at using the DNS option on entries configured for static NAT?

Our firewall is configured with STATIC entries to map private addresses to public addresses. We have a local DNS server (Active Directory integrated) that all local machines point to. These machines also have our ISP's DNS server listed as an secondary, but our DNS server is listed as primary.

Our DNS server is setup with Forwarders using our ISP's DNS Server.

I am not real familiar with how the DNS option is used with regards to STATIC translation and was wondering if this is something we should have setup based on our configuration?

any help would be appreciated.



Cisco Employee

Re: When to use the DNS option on Static Entries

You may want to use it if you want your internal hosts to contact the internal servers with their name. If you want to do that, the DNS query from the hosts must traverse the PIX to an external DNS server

Please check below for more info:

Q. I have a web server on the inside interface of the Cisco Secure PIX Firewall. It is mapped to an outside public address. I want my inside users to be able to access this server by its DNS name or outside address. How can this be done?

A. The rules of TCP do not allow you to do this, but there are good workarounds. For example, imagine that your web server's real IP address is and public address is DNS resolves to If your inside host (for example, attempts to go to, the browser resolves that to Then the browser sends that packet off to the PIX, which in turn sends it off to the Internet router. The Internet router already has a directly connected subnet of 99.99.99.x. It therefore assumes that packet is not intended for it but instead a directly connected host and drops this packet. In order to get around this issue your inside host either must resolve to its real address or you must take the outside segment off the 99.99.99.x network so the router can be configured to route this packet back to the PIX.

If your DNS resides outside the PIX (or across one of its DMZs) you can use the alias command on the Cisco Secure PIX Firewall to fix the DNS packet to make it resolve to the address. Make sure you reboot your PCs to flush the DNS cache after you make this change. (Test by pinging before and after the alias command is applied to make sure the resolution changes from the to address.)

If you have your own DNS server inside your network, this does not work because the DNS lookup never transverses the PIX, so there is nothing to fix. In this case, configure you local DNS accordingly or use local 'hosts' files on your PCs to resolve this name. The other option is better because it is more reliable. Take the 99.99.99.x subnet off the PIX and router. Choose an RFC 1918 numbering scheme not being used internally (or on any perimeter PIX interface). Then put a route statement back to the PIX for this network and remember to change your PIX default route outside to the new IP address on the router. The outside router receives this packet and routes it back to the PIX based on its routing table. The router will no longer ignore this packet, because it has no interfaces configured on that network.

PIX 6.2 introduces a new feature called Bidirectional NAT, which offers the functionality of the alias command and more.

Refer to Understanding the alias Command for the Cisco Secure PIX Firewall for more information on the alias command.

Refer to Using Outside NAT in the PIX command reference for more information on the Bidirectional NAT feature.


I hope the information helps you out

Franco Zamora