Alias for DNS doesn't seem to be working

[teksaint]

Hi,

This is probably fairly simple, but here goes. I have an OWA server off my inside interface. Whenever a client off that same interface tries to resolve to it via FQDN, it bombs. I believe this problem is fixed via an alias command, but it doesn't seem to be working. I can access the site via IP from the same client with no problem. Access via FQDN from the Internet also works fine. The internal IP of the OWA is 10.32.0.10. All users use an external DNS server, there is no internal DNS. Thanks in advance!

Thanks,
Scott


PIX Version 5.2(6)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname ER9_Firewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp any host 66.152.255.94 eq www
access-list 100 permit tcp any host 66.152.255.94 eq smtp
access-list 100 permit tcp any host 66.152.255.94 eq pop3
access-list 100 permit tcp any host 66.152.255.93 eq smtp
access-list 100 permit tcp any host 66.152.255.93 eq pop3
access-list 100 permit tcp any host 66.152.255.93 eq www
access-list 100 permit tcp any host 66.152.255.90 eq 1494
access-list 100 permit tcp any host 66.152.255.90 eq 3389
access-list 100 permit tcp any host 66.152.255.94 eq 5900
access-list 100 permit tcp any host 66.152.255.92 eq 1494
access-list 100 permit tcp any host 66.152.255.92 eq 3389
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered debugging
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 66.152.255.90 255.255.255.248
ip address inside 10.32.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 1440
global (outside) 1 66.152.255.91
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
alias (inside) 10.32.0.10 66.152.255.93 255.255.255.255
alias (inside) 10.30.0.10 66.152.255.94 255.255.255.255
static (inside,outside) 66.152.255.94 10.30.0.15 netmask 255.255.255.255 0 0
static (inside,outside) 66.152.255.93 10.32.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 66.152.255.92 10.30.0.10 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 66.152.255.89 1
route inside 10.0.0.0 255.0.0.0 10.32.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:10be2a7bdd058e8058bfd39e052d6117
ER9_Firewall#

 

[sunyasee]

Try adding the following command

sysopt noproxyarp inside

I to had problems with 'alias' but by using this command I managed to get it working ok.



----

Sunyasee B-)

 

[yizhar]

HI.

* Implementing an internal DNS server instead of using an external one is recommended, not only for this problem but also for improving performance and eliminating other issues (slow LAN performance when the link to ISP is down or having problems).

* Using the alias command to tweak DNS will work only after the DNS cache times out. Reboot the workstation and try again.
And yes, if you use "alias" you should disable proxyarp as mentioned by sunyasee.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar