In article , wrote: :Internal network: 192.168.0.0 255.255.255.0 :Old DNS servers: 150.159.216.202 and 150.159.216.206 :New DNS servers: 205.171.3.65 and 205.171.2.65
:We have to configure all the workstations to use new DNS-servers (yes I :know, DHCP would have been an solution, but internal politics...). This :will take some time, so I'm looking for a way to silently re-write the :destination on the PIX which is situated between the LAN and the :Internet connection.
Okay, I've done much the same thing.
:On
formatting link
I found that I should use the alias command.
Not anymore. alias is deprecated. You have 6.2 or later (you mentioned
6.3(1)) so you should start using bidirectional nat.
:alias (inside) 150.159.216.202 205.171.3.65 255.255.255.255 :alias (inside) 150.159.216.206 205.171.2.65 255.255.255.255
:And I gave a clear xlate.
Clear xlate was a good step that was easy to have overlooked.
Try this instead:
static (outside,inside) 150.159.216.202 205.171.3.65 netmask 255.255.255.255 static (outside,inside) 150.159.216.206 205.171.2.65 netmask 255.255.255.255
:When we tested from a server which has the proper DNS IP adresses :configured, we found out that DNS didn't work anymore. Whichever IP :address we used (old or new), we didn't receive a response.
There is a bit of a logical problem: when you use alias or reverse static in order to redirect one IP "OLD" to another IP "NEW", then when traffic returns from NEW the PIX has to decide what to do with it. And what it will do with it when it sees the alias or reversed static is to map the NEW IP back to the OLD IP. You can't have it both ways: you can't say "If it was originally addressed properly when it went outwards, then don't translate it when the response comes back."
What I would suggest in your case is to use the reverse static for one of the two servers, leaving the other one to go straight through. Then, provided that each system has been configured with two DNS servers, one of the two will work -- either the two configured DNS IPs will be the OLD IPs (one of the two of which will get redirected to a functioning server), or the two configured DNS IPs will be the NEW IPs (one of which will not function because of the reverse mapping, but the other direct one will be functional.) Remove the reverse static entry when everything is finally converted over.
I would have to think more to see if I could come up with a way using policy nat or dual translation to allow both sides to work at the same time.
By the way, you mention 6.3(1). 6.3(1) has some security bugs in it. 6.3(2) has a nasty error in it. 6.3(3) has a lesser security bug. 6.3(4) is the latest. I would thus recommend that you upgrade to at least 6.3(3) and preferably 6.3(4). 6.3(2) added policy nat; 6.3(4) added policy static. Note: upgrades from 6.3(1) to 6.3(4) are free even if you have no support contract; details of how to obtain the free upgrade are available on Cisco's web site if you search for PIX Security Advisories .