The Alias Command

You can use the alias command for two purposes

1) You need to Destination NAT of one destination address to another   

  • In dnat, the PIX changes the destination IP of an application call from one IP address to another IP address.

  • This process is used when you want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not “doctor” the DNS replies.

    alias(inside) 99.99.99.99 192.168.100.10 255.255.255.255

    !— This sets up the Destination NAT. In this example the DNS reply is not
    !— doctored by the PIX because the external address (99.99.99.99) does not
    !— match the foreign IP address in the alias command (the second IP).
    !— But the call is “dnat-ed” because the destination address
    !— in the call matches the dnat IP address in the alias command (the first IP).

2) You can use it to perforn DNS doctoring of DNS repliedfrom an external DNS Server

  • In DNS Doctoring, the PIX changes the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name.

This process is used when you want the actual application call from the internal client to connect to an internal server by its internal IP address.

  • alias (inside) 10.10.10.10 99.99.99.99 255.255.255.255

    !— This command sets up DNS Doctoring. It is initiated from the clients in
    !— the “inside” network. It watches for DNS replies that contain
    !— 99.99.99.99. Then it replaces the 99.99.99.99 address with the 10.10.10.10
    !— address in the “DNS reply” sent to the client PC.

Source: Cisco Corp

Leave a Reply