Jim,
I'm looking forward to seeing it explained as well. I haven't worked
with a PIX in a while. I do know that some things like this can be solved
with a secondary IP address on the inside server. Put the public address of
that server on the server as a secondary. Put a static host route for the
public address with the internal ip address of that server as a next hop on
the internet-connected router. Might need to do it on a couple routers on
the way to the internet. Or you could redistribute that host route into
your IGP. I've had good luck doing this in a couple places.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "Jim" <systemboard@xxxxxxxxxx>
To: <security@xxxxxxxxxxxxxx>
Sent: Saturday, December 07, 2002 2:12 PM
Subject: RE: NAT\Alias
> Any takers on this post? I am hoping someone has more input on it?
>
> JT
>
>
> This stuff is good. I have always been confused on dnat and dns
doctoring. It is getting better but a few more questions...
>
> Does DNS fixup refer to anytime you have an external DNS? I take it that
it does not matter if you have illegal IPs on your network or not-is that
right?
>
> dnat--why would I want the outside IP to refer to a diff IP than is stated
in my static but is referenced in the alias command. For example:
>
> alias (inside ) 100.1.1.1 10.1.1.1
> static (in,out) 200.1.1.1 10.1.1.1
>
> You can assume I know nothing and need a detailed answer(please) A nice
answer that covers all the steps of the packet flow would be great!!!!
>
> Thanks,
>
> JT
>
>
>
> --- On Wed 12/04, Jason Brown wrote:From: Jason Brown [mailto:
spderman_po@xxxxxxxxx]To: systemboard@xxxxxxxxxxxxxx: Tue, 3 Dec 2002
21:58:44 -0800 (PST)Subject: RE: NAT\AliasThe alias command has 2 uses.
>
> First is as you said for DNS "fixups"
>
> Ex: You have Internal host, Internal WWW
> (www.example.com) and External DNS.
>
> When you make the query to the dns for www.example.com
> you get the "public" ip address back but you don't
> want that cuz your host will send the request to the
> public address which hits the internal interface of
> the Pix and the pix says I have a static for that
> which is internal .. BUT the Pix will not redirect
> traffic back out the same interface that the packet
> came in on so it drops it. SOOOOO with the alias
> command the pix sees the DNS reply for www.example.com
> (via the Public IP you configure with the alias
> command) and "fixes" it up to tell the internal host
> that it is the "private" address.
>
> Second senerio is as Justin just explained in a new
> email. You see a request to one address but want
> anything that is sent to the alias'd address changed
> to something else say .... www.porn.com
> (200.200.200.1) redirected to www.disney.com
> (100.100.100.1)
>
> Hopefully this helps.
>
> Jason
>
>
>
> --- Jim wrote:
> > Since Justin brings up the alias command can someone
> > explain the alias command with a real example? I
> > have read about alias on CCO and the explanation
> > does not register. I was under the impression the
> > alias command had to do with not running DNS on an
> > internal network and having illegal addressing on
> > the inside.
> >
> > Confused.
> >
> > JT
> >
> >
> > --- On Tue 12/03, Justin Menga wrote:From: Justin
> > Menga [mailto: Justin.Menga@xxxxxxxxxxxxxx]To:
> > Brian.Ritchie@xxxxxxxxxxx,
> > security@xxxxxxxxxxxxxxxxxx: Wed, 4 Dec 2002
> > 15:00:37 +1300 Subject: RE: NAT'ing based on source
> > AND destinationHi,
> >
> > You can use the alias command for this.
> >
> > Regards,
> > Justin
> >
> > -----Original Message-----
> > From: Ritchie, Brian
> > [mailto:Brian.Ritchie@xxxxxxxxxxx]
> > Sent: Wednesday, December 04, 2002 5:23 AM
> > To: 'security@xxxxxxxxxxxxxx'
> > Subject: NAT'ing based on source AND destination
> >
> >
> > Hello all,
> >
> > Is there any way on a pix to perform NAT based on
> > source AND destination ?
> >
> > For example, my internal network is 10.1.1.0/24 and
> > I PAT all clients
> > leaving the internal network using the external
> > interface IP address.
> > However, when an internal client wants to connect to
> > a specific internet
> > host x.x.x.x I want to NAT to a different IP in my
> > public address space.
> >
> > I am aware of associating a nat rule with an
> > access-list, but this is only
> > possible if you dont want to nat for VPN's etc (ie
> > nat (inside) 0).
> >
> > I've looked around and cant find any examples of how
> > to do this, although I
> > have seen it done on other firewall implementations,
> > using Checkpoint for
> > example.
> >
> > Any help or work arounds are greatly appriciated.
> >
> > FYI ...... I am using software version 6.1(4) and
> > dont have any other
> > devices to perform further NATing above or below the
> > firewall.
> >
> > Thanks in advance, Brian
> >
> >
> > This e-mail and any files transmitted with it are
> > intended solely for the
> > addressee and are confidential. They may also be
> > legally privileged.
> > Copyright in them is reserved by Delphis Consulting
> > PLC ["Delphis"] and they
> > must not be disclosed to, or used by, anyone other
> > than the addressee.
> >
> > If you have received this e-mail and any
> > accompanying files in error, you
> > may not copy, publish or use them in any way and you
> > should delete them from
> > your system and notify us immediately.
> >
> > E-mails are not secure. Delphis does not accept
> > responsibility for changes
> > to e-mails that occur after they have been sent.
> >
> > Any opinions expressed in this e-mail may be
> > personal to the author and may
> > not necessarily reflect the opinions of Delphis.
> >
> >
> > _______________________________________________
> > Join Excite! - http://www.excite.com
> > The most personalized portal on the Web!
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!
>
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!
