GroupStudy.com - CCIE, CCNA, CCNP and other Cisco Certifications

Home
BookStore
StudyNotes
Links
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Subject: Re: NAT\Alias
From: Solar300 <solar300@xxxxxxx>
Date: Sun, 08 Dec 2002 13:25:43 -0800
References: <20021207191227.1F00BB6EE@xmxpita.excite.com>
DNS Doctoring is used when the DNS resolver (requesting client) and target
host reside on the same PIX interface. The syntax for the 'alias' command in
this case would be:

'alias (inside) <private_IP> <public_IP>'

DNS replies destined for the (inside) containing <public_IP> in the payload
are doctored so that <private_IP> appears in the payload instead. The client
can then start a connection directly with the host using the private
address. The same result can be achieved using the 'dns' keyword with the
'static' command in 6.2 and later releases.

Destination NAT is used when the DNS resolver and the target host reside on
different PIX interfaces, say inside and DMZ, respectively. The syntax for
the 'alias' command in this case would be:

'alias (inside) <public_IP> <private_IP>'

Now when the DNS request goes out, the reply comes back "undoctored"
(resolved address in the reply payload must match the 2nd IP address _and_
the interface in the 'alias' command for "doctoring" to occur) But when the
client starts sending traffic destined for the resolved public address, the
'alias' command translates the public destination address to the private
destination address so that the traffic ends up on the DMZ.

Be aware that "dNAT" will affect ACLs you place on interfaces related to the
'alias' command. In the example above, the source address in an ACL for
traffic starting from the DMZ destined for the inside must match the
translated address, rather than the real source address of the host (similar
to the issue with destination addresses and statics and ACLs). Also, an ACL
for traffic starting from the inside destined for the DMZ must include both
the public and private destination addresses. Both ACLs will show hits when
you ping the public address from the inside, while only the private ACL will
show hits when you ping the private address.

Regards,

Mas Kato
https://ecardfile.com/id/mkato
----- Original Message -----
From: "Jim" <systemboard@xxxxxxxxxx>
To: <security@xxxxxxxxxxxxxx>
Sent: Saturday, December 07, 2002 11:12 AM
Subject: RE: NAT\Alias


Any takers on this post?  I am hoping someone has more input on it?

JT


This stuff is good.  I have always been confused on dnat and dns doctoring.
It is getting better but a few more questions...

Does DNS fixup refer to anytime you have an external DNS?  I take it that it
does not matter if you have illegal IPs on your network or not-is that
right?

dnat--why would I want the outside IP to refer to a diff IP than is stated
in my static but is referenced in the alias command.  For example:

alias (inside ) 100.1.1.1 10.1.1.1
static (in,out) 200.1.1.1 10.1.1.1

  You can assume I know nothing and need a detailed answer(please) A nice
answer that covers all the steps of the packet flow would be great!!!!

Thanks,

JT



 --- On Wed 12/04, Jason Brown  wrote:From: Jason Brown [mailto:
spderman_po@xxxxxxxxx]To: systemboard@xxxxxxxxxxxxxx: Tue, 3 Dec 2002
21:58:44 -0800 (PST)Subject: RE: NAT\AliasThe alias command has 2 uses.

First is as you said for DNS "fixups"

Ex: You have Internal host, Internal WWW
(www.example.com) and External DNS.

When you make the query to the dns for www.example.com
you get the "public" ip address back but you don't
want that cuz your host will send the request to the
public address which hits the internal interface of
the Pix and the pix says I have a static for that
which is internal .. BUT the Pix will not redirect
traffic back out the same interface that the packet
came in on so it drops it. SOOOOO with the alias
command the pix sees the DNS reply for www.example.com
(via the Public IP you configure with the alias
command) and "fixes" it up to tell the internal host
that it is the "private" address.

Second senerio is as Justin just explained in a new
email.  You see a request to one address but want
anything that is sent to the alias'd address changed
to something else say .... www.porn.com
(200.200.200.1) redirected to www.disney.com
(100.100.100.1)

Hopefully this helps.

Jason



--- Jim  wrote:
> Since Justin brings up the alias command can someone
> explain the alias command with a real example?  I
> have read about alias on CCO and the explanation
> does not register.  I was under the impression the
> alias command had to do with not running DNS on an
> internal network and having illegal addressing on
> the inside.
>
> Confused.
>
> JT
>
>
>  --- On Tue 12/03, Justin Menga  wrote:From: Justin
> Menga [mailto: Justin.Menga@xxxxxxxxxxxxxx]To:
> Brian.Ritchie@xxxxxxxxxxx,
> security@xxxxxxxxxxxxxxxxxx: Wed, 4 Dec 2002
> 15:00:37 +1300 Subject: RE: NAT'ing based on source
> AND destinationHi,
>
> You can use the alias command for this.
>
> Regards,
> Justin
>
> -----Original Message-----
> From: Ritchie, Brian
> [mailto:Brian.Ritchie@xxxxxxxxxxx]
> Sent: Wednesday, December 04, 2002 5:23 AM
> To: 'security@xxxxxxxxxxxxxx'
> Subject: NAT'ing based on source AND destination
>
>
> Hello all,
>
> Is there any way on a pix to perform NAT based on
> source AND destination ?
>
> For example, my internal network is 10.1.1.0/24 and
> I PAT all clients
> leaving the internal network using the external
> interface IP address.
> However, when an internal client wants to connect to
> a specific internet
> host x.x.x.x I want to NAT to a different IP in my
> public address space.
>
> I am aware of associating a nat rule with an
> access-list, but this is only
> possible if you dont want to nat for VPN's etc (ie
> nat (inside) 0).
>
> I've looked around and cant find any examples of how
> to do this, although I
> have seen it done on other firewall implementations,
> using Checkpoint for
> example.
>
> Any help or work arounds are greatly appriciated.
>
> FYI ...... I am using software version 6.1(4) and
> dont have any other
> devices to perform further NATing above or below the
> firewall.
>
> Thanks in advance, Brian
>
>
> This e-mail and any files transmitted with it are
> intended solely for the
> addressee and are confidential. They may also be
> legally privileged.
> Copyright in them is reserved by Delphis Consulting
> PLC ["Delphis"] and they
> must not be disclosed to, or used by, anyone other
> than the addressee.
>
> If you have received this e-mail and any
> accompanying files in error, you
> may not copy, publish or use them in any way and you
> should delete them from
> your system and notify us immediately.
>
> E-mails are not secure.  Delphis does not accept
> responsibility for changes
> to e-mails that occur after they have been sent.
>
> Any opinions expressed in this e-mail may be
> personal to the author and may
> not necessarily reflect the opinions of Delphis.
>
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!


_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
References:
- RE: NAT\Alias
  - From: Jim
Prev by Date: RE: ISDN Call back with Dialstring problem
Next by Date: RE: NAT\Alias
Previous by thread: Re: NAT\Alias
Next by thread: RE: NAT\Alias
Index(es):
- Date
- Thread