«

Hey,

I recall someone told me back in time that the alias command are
unsupported.
Is this correct ?
Or are the alias command still supported by pixos 6.3. ? It sure is in the
command ref ...

regards
Martin Bilgrav

In article <y0rYf.28$>,
Martin Bilgrav <> wrote:
>I recall someone told me back in time that the alias command are
>unsupported.
>Is this correct ?
>Or are the alias command still supported by pixos 6.3. ? It sure is in the
>command ref ...

PIX 6.3 does support alias. PDM 3.whatever does not support alias
though.

You should replace alias with "reverse" nat, or use of the 'dns'
keyword on your statics, depending which of the two effects of alias
you were after.

"Walter Roberson" <> skrev i en meddelelse
news:QBtYf.217952$sa3.109971@pd7tw1no...

Hi Walter,

>
> PIX 6.3 does support alias. PDM 3.whatever does not support alias
> though.
Ok, I can imagine that. But we do not use PDM.

>
> You should replace alias with "reverse" nat, or use of the 'dns'
> keyword on your statics, depending which of the two effects of alias
> you were after.

I found in the "Cisco PIX Firewall and VPN Configuration Guide" section that
Cisco state the alias should be used on pre-6.2 installations, and that
outside-NAT via static, but with reversed interface order in () are what the
recommend. As they state: "outside NAT makes the use of the alias command
unnecessary".

I was looking for good arguments ass to why outside NAT is better than
alias.
Any input on that ?


I got this also from the guide and tek-tips.com:

5-15:
CTIQBE application inspection does not support configurations using the
alias command, which is
deprecated after the introduction of outside NAT with PIX Firewall Version
6.2.

2-39:
To enable connectivity between the two overlapping networks, the alias
command can be used with
previous versions of PIX Firewall, or static outside NAT can be used with
PIX Firewall Version 6.2 or
higher. We recommend using static outside NAT instead of the alias command
because it allows the
isolation of address translation between two interfaces and optionally
supports rewriting of DNS address
resource records.

3-31:
ActiveX blocking does not occur when users access an IP address referenced
by the alias command.

5-6:
Translates the DNS A-record on behalf of the alias command. With PIX
Firewall Version 6.2 and
higher, DNS inspection also supports static and dynamic NAT and outside NAT
makes the use of the
alias command unnecessary.

Not supported in 7.0 with ADSM, same as for PDM3.x




regards

Martin Bilgrav


cfg-guide, VPN :
http://www.cisco.com/en/US/products/...html#wp1113519

In article <fZvYf.82$>,
Martin Bilgrav <> wrote:
>I was looking for good arguments ass to why outside NAT is better than
>alias.
>Any input on that ?

The ones you quoted are pretty good

'alias' had at least two different uses: address translation and
dns rewriting. You couldn't get one without the other.

The main problem I see with the 'dns' keyword on nat and static
statements is that there is no documentation as to what happens
when it is combined with policy static or policy NAT (and I'd want to
think more about whether there are any corner-cases for static PAT.)

With policy static, it is possible to map different public IP addresses
to the same private IP address, conditional upon the remote IP address.
Which IP will the 'dns' keyword cause to be filled in? I suspect that
you can construct cases in which there is no right answer, in which
the address resolved to "should" depend upon what the destination port
is going to be... which is something not known to DNS.