CISCO PIX hard question, can you answer it? TIA

alias (inside) 66.121.13.151 192.168.1.1 255.255.255.255 alias (inside) 66.121.13.152 192.168.1.2 255.255.255.255 alias (inside) 66.121.13.153 192.168.1.3 255.255.255.255

Wil my 3¢

for i > I am not a real Cisco guy and the person I use says that what I want to

In article , snipped-for-privacy@gmail.com wrote: :I am not a real Cisco guy and the person I use says that what I want to :do is not possible.

Some of your wording is a bit ambiguous; under one interpretation they are wrong, and under another they are correct.

:All the servers have static nats from the outside to the inside over :specific ports.

:Host1.contoso.com 66.121.13.151 nat => 192.168.1.1 port 80, 443, 3389 :etc.

:My DNS server is inside the firewall host1.contoso.com

:When a user attempts to connect to Host1.contoso.com from the outside :world they get an ip address of 66.121.13.151 and can connect to the :server/service

:When a user from inside the firewall attempts to :http:\\\\host1.contoso.com they get the ip address of 66.121.13.151 and :cannot connect to the host.

:I want to be able to have users connect to host1.contoso.com from :inside or outside the Firewall using the same DNS sever or the same IP :address 66.121.13.151.

The ambiguity is in that sentance. If you mean by it, "I want people to connect either way, and I only want to use one DNS server, but I don't care exactly how it gets arranged" then it can be done. If, though, you mean, "I want people to connect either way, andI only want to use one DNS server, and it is important that people on the inside be able to connect using the outside IP addresses", then you cannot do it without additional equipment.

If you don't really care about the IPs as long as the hostnames get you to the right place, then the way to work it is this:

1) To each 'static' line, add the keyword 'dns' 2) Now, edit your DNS server so that it stores the *internal* IP addresses, not the -external- IP addresses.

Once those two steps are done and the DNS server process has been restarted, connecting by hostname will work for both sides.

The internal users will connect directly to your internal DNS server and will get the internal IP addresses returned to them, so they will be able to connect directly without touching the PIX.

The external users will query your DNS server, and that query will go through the PIX, and when the reply comes back from your internal server, the PIX will notice the 'dns' keyword on the 'static' commands and the PIX will rewrite the DNS reply as it goes out so that the -external- IPs go out in place of the internal IPs.

Note: I haven't tried it, so I don't know if this works if you are using just port-by-port static's: it works if you static the entire IP (don't worry, the PIX will only allow new connections in if they are permitted by your outside ACL, so static'ing the entire IP is nearly as secure as going port-by-port.)

:> I have a PIX FW, no DMZ, 10 users inside the FW and three servers :> inside the firewall.

:> When a user from inside the firewall attempts to :> http:\\\\host1.contoso.com they get the ip address of 66.121.13.151 and :> cannot connect to the host.

:alias (inside) 66.121.13.151 192.168.1.1 255.255.255.255 :alias (inside) 66.121.13.152 192.168.1.2 255.255.255.255 :alias (inside) 66.121.13.153 192.168.1.3 255.255.255.255

A PIX with no DMZ and 10 users and servers would tend to imply a PIX 501 running at least PIX 6.2 if not PIX 6.3 [the 501 wasn't introduced until 6.1] Chances are thus pretty good that 'alias' has been deprecated on the PIX software version that the OP has.

Here is the verision info.

Cisco PIX Firewall Version 6.3(4) Cisco PIX Device Manager Version 3.0(3)

Compiled on Fri 02-Jul-04 00:07 by morlee

Any idea on doing the alias thu the PDM?

Paul

I've got some 520's here, they seem to have the alias commands available...

***************************************************************** mypix(config)# show hardware | include Version Cisco PIX Firewall Version 6.3(4) Cisco PIX Device Manager Version 3.0(2)

mypix(config)# alias Not enough arguments. Usage: [no] alias [] []

*****************************************************************

Sorry, I don't use PDM so I cannot help with that part

Wil my 3¢

for i in `ps -aux |grep "smoking" |grep -v grep \\ |awk '{print $2}'`; do kill -9 $i; done

Walter Robers> In article ,

:> A PIX with no DMZ and 10 users and servers would tend to imply a PIX 501 :> running at least PIX 6.2 if not PIX 6.3 [the 501 wasn't introduced :> until 6.1] Chances are thus pretty good that 'alias' has been deprecated :> on the PIX software version that the OP has.

:I've got some 520's here, they seem to have the alias commands available...

"deprecated" means "We advise against using this feature, as it is scheduled to be removed". Deprecated two major releases ago has the additional connotation, in Cisco-speak, that the feature is probably broken when used in conjunction with newer features, that the bugs will not be fixed, and that you won't get much help from Cisco in figuring out why your system isn't working.