Hi,
alias (inside) 100.1.1.1 10.1.1.1
On the inside interface, clients see the global IP address 10.1.1.1 as
100.1.1.1. I.e. if a packet is received from an internal client by the PIX
with a destination IP address of 100.1.1.1, the destination IP is NAT'ed to
10.1.1.1 and forwarded out the outside interface. In the reverse direction,
packets received on the outside interface with a source IP addrses of
10.1.1.1 are NAT'ed to 100.1.1.1 before being sent out the inside interface.
Any DNS replies sent out the inside interface (i.e. the DNS query originated
from the inside) which include an A record of 10.1.1.1 are also "fixed" up
to 100.1.1.1. DNS replies sent out any other interface (i.e. originated on
other interfaces) would now be "fixed" up.
static (in,out) 200.1.1.1 10.1.1.1
On the outside interface, external clients see internal device with an IP
address of 10.1.1.1 as 200.1.1.1. I.e. if a packet is received from an
external client by the PIX with a destination IP address of 200.1.1.1, the
destination IP is NAT'ed to 10.1.1.1 and forwarded out the inside interface.
In the reverse direction, packets received on the inside interface with a
source IP addrses of 10.1.1.1 are NAT'ed to 200.1.1.1 before being sent out
the outside interface.
Regards,
Justin
-----Original Message-----
From: Jim [mailto:systemboard@xxxxxxxxxx]
Sent: Sunday, December 08, 2002 8:12 AM
To: security@xxxxxxxxxxxxxx
Subject: RE: NAT\Alias
Any takers on this post? I am hoping someone has more input on it?
JT
This stuff is good. I have always been confused on dnat and dns doctoring.
It is getting better but a few more questions...
Does DNS fixup refer to anytime you have an external DNS? I take it that it
does not matter if you have illegal IPs on your network or not-is that
right?
dnat--why would I want the outside IP to refer to a diff IP than is stated
in my static but is referenced in the alias command. For example:
alias (inside ) 100.1.1.1 10.1.1.1
static (in,out) 200.1.1.1 10.1.1.1
You can assume I know nothing and need a detailed answer(please) A nice
answer that covers all the steps of the packet flow would be great!!!!
Thanks,
JT
--- On Wed 12/04, Jason Brown wrote:From: Jason Brown [mailto:
spderman_po@xxxxxxxxx]To: systemboard@xxxxxxxxxxxxxx: Tue, 3 Dec 2002
21:58:44 -0800 (PST)Subject: RE: NAT\AliasThe alias command has 2 uses.
First is as you said for DNS "fixups"
Ex: You have Internal host, Internal WWW
(www.example.com) and External DNS.
When you make the query to the dns for www.example.com
you get the "public" ip address back but you don't
want that cuz your host will send the request to the
public address which hits the internal interface of
the Pix and the pix says I have a static for that
which is internal .. BUT the Pix will not redirect
traffic back out the same interface that the packet
came in on so it drops it. SOOOOO with the alias
command the pix sees the DNS reply for www.example.com
(via the Public IP you configure with the alias
command) and "fixes" it up to tell the internal host
that it is the "private" address.
Second senerio is as Justin just explained in a new
email. You see a request to one address but want
anything that is sent to the alias'd address changed
to something else say .... www.porn.com
(200.200.200.1) redirected to www.disney.com
(100.100.100.1)
Hopefully this helps.
Jason
--- Jim wrote:
> Since Justin brings up the alias command can someone
> explain the alias command with a real example? I
> have read about alias on CCO and the explanation
> does not register. I was under the impression the
> alias command had to do with not running DNS on an
> internal network and having illegal addressing on
> the inside.
>
> Confused.
>
> JT
>
>
> --- On Tue 12/03, Justin Menga wrote:From: Justin
> Menga [mailto: Justin.Menga@xxxxxxxxxxxxxx]To:
> Brian.Ritchie@xxxxxxxxxxx,
> security@xxxxxxxxxxxxxxxxxx: Wed, 4 Dec 2002
> 15:00:37 +1300 Subject: RE: NAT'ing based on source
> AND destinationHi,
>
> You can use the alias command for this.
>
> Regards,
> Justin
>
> -----Original Message-----
> From: Ritchie, Brian
> [mailto:Brian.Ritchie@xxxxxxxxxxx]
> Sent: Wednesday, December 04, 2002 5:23 AM
> To: 'security@xxxxxxxxxxxxxx'
> Subject: NAT'ing based on source AND destination
>
>
> Hello all,
>
> Is there any way on a pix to perform NAT based on
> source AND destination ?
>
> For example, my internal network is 10.1.1.0/24 and
> I PAT all clients
> leaving the internal network using the external
> interface IP address.
> However, when an internal client wants to connect to
> a specific internet
> host x.x.x.x I want to NAT to a different IP in my
> public address space.
>
> I am aware of associating a nat rule with an
> access-list, but this is only
> possible if you dont want to nat for VPN's etc (ie
> nat (inside) 0).
>
> I've looked around and cant find any examples of how
> to do this, although I
> have seen it done on other firewall implementations,
> using Checkpoint for
> example.
>
> Any help or work arounds are greatly appriciated.
>
> FYI ...... I am using software version 6.1(4) and
> dont have any other
> devices to perform further NATing above or below the firewall.
>
> Thanks in advance, Brian
>
>
> This e-mail and any files transmitted with it are
> intended solely for the
> addressee and are confidential. They may also be
> legally privileged.
> Copyright in them is reserved by Delphis Consulting
> PLC ["Delphis"] and they
> must not be disclosed to, or used by, anyone other
> than the addressee.
>
> If you have received this e-mail and any
> accompanying files in error, you
> may not copy, publish or use them in any way and you
> should delete them from
> your system and notify us immediately.
>
> E-mails are not secure. Delphis does not accept responsibility for
> changes to e-mails that occur after they have been sent.
>
> Any opinions expressed in this e-mail may be
> personal to the author and may
> not necessarily reflect the opinions of Delphis.
>
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
