PIX-OS 6.3.x alias command

Hey,

I recall someone told me back in time that the alias command are unsupported. Is this correct ? Or are the alias command still supported by pixos 6.3. ? It sure is in the command ref ...

regards Martin Bilgrav

Reply to
Martin Bilgrav
Loading thread data ...

PIX 6.3 does support alias. PDM 3.whatever does not support alias though.

You should replace alias with "reverse" nat, or use of the 'dns' keyword on your statics, depending which of the two effects of alias you were after.

Reply to
Walter Roberson

"Walter Roberson" skrev i en meddelelse news:QBtYf.217952$sa3.109971@pd7tw1no...

Hi Walter,

Ok, I can imagine that. But we do not use PDM.

I found in the "Cisco PIX Firewall and VPN Configuration Guide" section that Cisco state the alias should be used on pre-6.2 installations, and that outside-NAT via static, but with reversed interface order in () are what the recommend. As they state: "outside NAT makes the use of the alias command unnecessary".

I was looking for good arguments ass to why outside NAT is better than alias. Any input on that ?

I got this also from the guide and tek-tips.com:

5-15: CTIQBE application inspection does not support configurations using the alias command, which is deprecated after the introduction of outside NAT with PIX Firewall Version 6.2. 2-39: To enable connectivity between the two overlapping networks, the alias command can be used with previous versions of PIX Firewall, or static outside NAT can be used with PIX Firewall Version 6.2 or higher. We recommend using static outside NAT instead of the alias command because it allows the isolation of address translation between two interfaces and optionally supports rewriting of DNS address resource records. 3-31: ActiveX blocking does not occur when users access an IP address referenced by the alias command. 5-6: Translates the DNS A-record on behalf of the alias command. With PIX Firewall Version 6.2 and higher, DNS inspection also supports static and dynamic NAT and outside NAT makes the use of the alias command unnecessary.

Not supported in 7.0 with ADSM, same as for PDM3.x

regards

Martin Bilgrav

cfg-guide, VPN :

formatting link

Reply to
Martin Bilgrav

The ones you quoted are pretty good ;-)

'alias' had at least two different uses: address translation and dns rewriting. You couldn't get one without the other.

The main problem I see with the 'dns' keyword on nat and static statements is that there is no documentation as to what happens when it is combined with policy static or policy NAT (and I'd want to think more about whether there are any corner-cases for static PAT.)

With policy static, it is possible to map different public IP addresses to the same private IP address, conditional upon the remote IP address. Which IP will the 'dns' keyword cause to be filled in? I suspect that you can construct cases in which there is no right answer, in which the address resolved to "should" depend upon what the destination port is going to be... which is something not known to DNS.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.