Solved

PDM shows problem, must replace alias with outside nat / bi-directional-nat. with server in dmz interface

Posted on 2007-11-15
7
725 Views
Last Modified: 2008-02-01
Hi,

We have a pix 515E with a web- and mail server in the DMZ.
For our inside users we want to use the external host name for retriving mail, so i inserted the alias command which works perfectly so far i know..

But when running the PDM it says the alias cmd is not longer supported and that it should be replaced with Outside Nat / Bi-directional-NAT

i have tried adding dns to the static cmd, but that doesnt work.
What to do now?

fixup protocol dns maximum-length 512

name 10.1.1.10 Webserver

access-list acl_out permit tcp any host 195.xxx.xxx.195 eq www

access-list DMZ_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 

global (outside) 10 195.xxx.xxx.196

global (DMZ) 10 195.xxx.xxx.195

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 192.168.0.0 255.255.255.0 0 0

nat (DMZ) 10 10.1.1.0 255.255.255.0 0 0

alias (inside) 195.xxx.xxx.195 10.1.1.10 255.255.255.255

static (DMZ,outside) 195.xxx.xxx.195 10.1.1.10 dns netmask 255.255.255.255 0 0 

access-group acl_out in interface outside

sysopt noproxyarp inside
 

As i look now, i don't see any nat 0 for the DMZ.. maybe my solution lies here..

Open in new window

0
Comment
Question by:Rick
  • 3
  • 2
  • 2
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 20288763
>For our inside users we want to use the external host name for retriving mail,
The BEST thing to do instead of making the pix jump through hoops, is to setup your internal dns so that the inside users use the private IP of the server and only external users use the public ip address.
0
 

Author Comment

by:Rick
ID: 20288969
Hey,

We used to have 2 dns domains in our Active Directory that where available in our remote branch offices also.
Because we used to have intranet websites that where sub-domains within our company-website domain, there where some problems for the branch offices to reach our servers in the main DMZ thru VPN...

Therefore we decided to remove our company-website domain from the DNS servers and move our intranet websites to the AD domain..

The alias cmd seemed to worked fine, except for the PDM warning..  
When we receive a memory upgrade for the PIX (wthin a few weeks) I want to upgrade to version 7 and then later 8, so i think fixing the alias problem will be of importance.



0
 
LVL 15

Accepted Solution

by:
Voltz-dk earned 500 total points
ID: 20290187
I'm a bit puzzled about 195.x.x.195 is mapped on outside and also is a global on the DMZ - but assuming everything is ok,
try:

static (DMZ,inside) 195.xxx.xxx.195 10.1.1.10
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 20293909
Voltz-dk, wouldn't the syntax for that be reversed ?

static (DMZ,inside) 10.1.1.10  195.xxx.xxx.195 netmask 255.255.255.255

0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 20293977
It's

static (<real>,<mapped>) <mapped> <real>

real being DMZ & 10.1.1.10, while mapped is inside & 195.x.x.195

unless some masquerading of the config threw me off - as mentioned some of it looks a bit odd in terms of which nets are on which ifs. (or I have missed the goal?)
0
 

Author Comment

by:Rick
ID: 20296837
It works!

These are the 2 static statements i have now:
static (DMZ,inside) 195.73.191.195 10.1.1.10 netmask 255.255.255.255 0 0       // The new rule
static (DMZ,outside) 195.73.191.195 10.1.1.10 netmask 255.255.255.255 0 0

Does it matter if the dns statement is included? After clearing the dns word and doing a 'clear xlate' everything works...

How can the new rule be explained?

Thnx for solving my case!

Regards,
Rick
Amsterdam
0
 
LVL 15

Expert Comment

by:Voltz-dk
ID: 20298284
The use of the dns keyword depends on the location of the dns server.  If that is on the inside, so the dns doesn't traverse the pix it have no value.

The new "rule" is an outside static NAT, stating that when 10.1.1.10 goes towards inside it should be NATed to the 195 addy.  Static NAT is bi-directional, so this mean traffic from inside towards 195-addy will have the destination NATed to 10.1.1.10 which was the goal here.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now