Understanding the alias Command for the Cisco Secure PIX Firewall
--------------------------------------------------------------------------------
The alias command has two possible functions:
It can be used to do "DNS Doctoring" of DNS replies from an external DNS server.
In DNS Doctoring, the PIX "changes" the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name.
This process is used when we want the actual application call from the internal client to connect to an internal server by its internal IP address.
It can be used to do "Destination NAT" (dnat) of one destination IP address to another IP address.
In dnat, the PIX "changes" the destination IP of an application call from one IP address to another IP address.
This process is used when we want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not "doctor" the DNS replies.
For example, if a host sends a packet to 99.99.99.99, you can use the alias command to redirect traffic to another address, such as 10.10.10.10. You can also use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. For more information, consult the PIX documentation.
Hardware and Software Versions
The information in this document is based on the software and hardware versions below.
Cisco Secure PIX Firewall Software Releases 5.0.x and later
Translating an Internal Address with DNS Doctoring
In the first example, the web server has an IP address of 10.10.10.10, and the global IP address of this web server is 99.99.99.99.
Note: The DNS server is on the outside. Verify that the DNS server resolves your domain name to the global IP address of the web server by issuing an nslookup command. The result of the nslookup on the client PC should be the internal IP address of the server (10.10.10.10), because the DNS reply gets doctored as it passes through the PIX.
Also note that, for DNS fixup to work properly, proxy-arp has to be disabled. If you are using the alias command for DNS fixup, disable proxy-arp with the following command after the alias command has been executed.
sysopt noproxyarp internal_interface
Network Diagram
![/uploadfile/cisco/uploadfile/200710/20071007044426200.gif]( "/uploadfile/cisco/uploadfile/200710/20071007044426200.gif")
If we want the machine with the IP address 10.10.10.25 to access this web server by its domain name (), we need to implement the alias command as follows:
alias (inside) 10.10.10.10 99.99.99.99 255.255.255.255
!--- This command sets up DNS Doctoring. It is initiated from the clients in
!--- the "inside" network. It watches for DNS replies that contain
!--- 99.99.99.99, then replaces the 99.99.99.99 address with the 10.10.10.10
!--- address in the "DNS reply" sent to the client PC.
Next, a static translation must be created for the web server, and we need to give anyone on the Internet access to the web server on port 80 (http):
static(inside,outside) 99.99.99.99 10.10.10.10 netmask 255.255.255.255
!--- This command creates a static translation between the web server's
!--- real address 10.10.10.10 to the global IP address 99.99.99.99.
To grant permission for access, you should use access list commands, as shown below.
access-list 101 permit tcp any host 99.99.99.99 eq www
access-group 101 in interface outside
!--- These commands permit any outside user to access the web server on port 80.
If you prefer the older syntax, you can use a conduit command as follows.
conduit permit tcp host 99.99.99.99 eq www any
!--- This command permits any outside user to access the web server on port 80.
Translating a DMZ Address with Destination NAT
If the web server is on the DMZ network of the PIX, the alias command must be used to do Destination NAT (dnat). In our example, the web server on the DMZ has an IP address of 192.168.100.10, and the outside IP address for this web server is 99.99.99.99. We want to use dnat to translate the IP address 99.99.99.99 to 192.168.100.10 on the actual call to the server; the DNS call and reply will be unchanged. In this example the DNS response seen by the internal client PC will be the external 99.99.99.99 IP address, since it is not DNS doctored.
Network Diagram
![/uploadfile/cisco/uploadfile/200710/20071007044431885.gif]( "/uploadfile/cisco/uploadfile/200710/20071007044431885.gif")
In this example, we want machines in the 10.10.10.0 /24 network to access this web server in the DMZ by its external domain name (). We do not want the PIX to do DNS Doctoring of the DNS replies. Instead, we want the PIX to dnat the external (global) IP Address of the web server to its "real" DMZ address (192.168.100.10).
We need to use the alias command to perform dnat:
alias(inside) 99.99.99.99 192.168.100.10 255.255.255.255
!--- This sets up the Destination NAT. In this example the DNS reply is not
!--- doctored by the PIX because the external address (99.99.99.99) does not
!--- match the foreign IP address in the alias command (the second IP).
!--- But the call will be "dnat-ed" because the destination address
!--- in the call will match the dnat IP address in the alias command (the first IP).
Note: The IP addresses in the alias command are in reverse order compared with the example above for DNS Doctoring.
Next, a static translation must be created for the web server, and we need to give anyone on the Internet access to the web server on port 80 (http):
static(dmz,outside) 99.99.99.99 192.168.100.10 netmask 255.255.255.255
!--- This command creates a static translation between the web server's
!--- real address 192.168.100.10 to the global IP address 99.99.99.99.
To grant permission for access, you should use access list commands, as shown below.
access-list 101 permit tcp any host 99.99.99.99 eq www
access-group 101 in interface outside
!--- These commands permit any outside user to access the web server on port 80.
If you prefer the older syntax, you can use a conduit command as follows.
conduit permit tcp host 99.99.99.99 eq www any
!--- This command permits any outside user to access the web server on port 80.
Other Configuration Notes
The interface in the alias command should be the "interface" that the clients are calling from.
If there are also clients on the DMZ, you could add another alias for the DMZ interface (this one would be DNS doctoring).
For instance, let's say that, in the example above, you want other clients on the DMZ to use the external DNS but to call the web server by its DMZ address. To do this, you would create an additional alias command, tied to the DMZ interface, in order to DNS doctor the DNS reply packets.
alias (dmz) 192.168.100.10 99.99.99.99 255.255.255.255
!--- This command sets up DNS Doctoring. It is initiated from the clients in
!--- the "dmz" network. It watches for DNS replies that contain
!--- 99.99.99.99, then replaces the 99.99.99.99 address with the 192.168.100.10
!--- address in the "DNS reply" sent to the client PC.
You can have multiple alias commands tied to different interfaces on the same PIX.
