PIX - Alias - Outside NAT

I have an internal web server that has an external web address


My problem is when I try to access it via the web browser it can't find it

When I change my url in my host file to


It works fine

I found that the Alias command should work, but messes up the PDM and says not supported

So I think I need to use the Outside NAT

I am not really sure how to do this, and when I tried it did not seem to work, can someone help me out with this command.

My initial thought was either

static 10.x.x.x 64.x.x.x netmask or static 64.x.x.x 10.x.x.x netmask

But it did not seem to work.

When I tried the alias 10.x.x.x 64.x.x.x

and I pinged internally it did redirect and resolve to

10.x.x.x but got timeouts

So am I missing something in the access list or something, maybe an access rule?

Id rather not use the alias if possible...if someone could list the commands that I need to put in that would be wonderful

Thanks, Ed,

Reply to
Loading thread data ...

That suggests to me that you are trying to access it from -inside- the firewall ?

NO to 'alias' and NO to 'outside nat'.

No, you are just trying to get the PIX to do something it cannot do.

Would I be correct in my guess that you have an internal DNS server? If so, then change the DNS server to use the *internal* IP address for the host, and then on the 'static' command that maps between the 64.* address and the 10.* address, add the keyword 'dns'. Adding that keyword will cause the PIX dns "fixup" to notice the 10.* address appearing in outgoing DNS packets, and to alter it to the 64.* address. In this way, the internal hosts get the internal address because they do not go through the PIX, and the external hosts get the external address because the PIX changes the internal to external when the DNS packet goes out.

If your DNS server is external, then the solution is still to add the 'dns' keyword to the 'static' command: when you do that, the PIX will notice the 64.* address in the -incoming- DNS packets, and will alter it to the 10.* address that your internal hosts need to know.

Reply to
Walter Roberson

Thanks, well I am a .NET developer and not too sure of myself on working and the commands

For both these scenarios would the new command be

static dns 63.* 172.* netmask

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.