Problem with alias command 1

[phima]

Hi all,

I've got a problem using the alias command.
Here is the context :
- My web server is connected to a DMZ, using a private IP address (192.168.3.3)
- A static command is used to allow external users to access this web server with a public IP address (212.x.y.z)
- Local clients (addressed in 125.a.b.c) do use address translation to connect to the internet, but should not be translated when connecting to the web server (192.168.3.0/24) using this acl/nat/global command set :
access-list nonat permit ip any 192.168.3.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 125.0.0.0 255.0.0.0
global (outside) 1 a.b.c.d - e.f.g.h

To allow internal users to access the web server using the fqdn (

http://www.my-server.com),

I put this alias command :
alias (inside) real_server_ip server_global_ip

Once this command has been set, I get a the right answer to the DNS request (real_server_ip). But then, I cannot reach the server from the inside interface anymore.
I used the debug mode and found out that the packet whose dest IP is 192.168.3.3 is emitted on the outside interface instead of the DMZ !!!

Can anybody help ?
Thanks.
Phil.

 

[AlanRamsay]

I too have exactly the same problem.

Using Pix 515UR with 4 port expansion.

Can anyone help????

Regards

Alan

 

[phima]

Hi all,

I finally get help from Cisco.
The problem was finally caused by the non address traslation I configured from the inside to the DMZ.
Let's say my configuration is the following :
- Myserver is located on the DMZ has the addres 192.168.0.2
- Myserver is seen from the internet with the address 1.1.1.1 using this following command :
static (dmz, outside) 1.1.1.1 192.168.0.2
- My lan is addressed 10.1.1.0 255.255.255.0
- As I want my lan to access the internet, but not to be translated on the DMZ, I use the following nat/global command set :
access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 interface

Now, as I want to access Myserver from the inside and as I have no DNS, I have to use the alias command as follows :
alias (inside) 1.1.1.1 192.168.0.2
Unfortunately, this command needs NAT/GLOBAL to work.
So, even if I do not permform nat from the inside to the DMZ, I'll have to put a global command to the DMZ as follows :
global (dmz) 1 interface

From now on, I'll be able to connect myserver from the inside with the address 1.1.1.1... But as this address does not match my access-list, my requests will be natted.
So, I'll have to add a record to my nonat access-list :
access-list nonat permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

It smells like a bug, but it works !

 

[AlanRamsay]

I think that I'll have to raise this under my Cisco support contract after my holiday.

I too have found that it seems to route to the wrong interface.

What OS are you using??? I'm pretty sure that I'm using 5.3

Regards

Alan

 

[phima]

The previous configuration note worked under Pix Firewall Software V6.01

Regards,
Phil.