Firewall commands - alias
Administer overlapping addresses with dual NAT. (Configuration mode.)
[no] alias [(if_name)] dnat_ip foreign_ip [netmask]
show alias
clear alias
Syntax Description
if_name The internal network interface name in which the foreign_ip overlaps.
dnat_ip An IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network.
foreign_ip IP address on the external network that has the same address as a host on the internal network.
netmask Network mask applied to both IP addresses. Use 255.255.255.255 for host masks.
Usage Guidelines
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30. You can use the sysopt nodnsalias command to disable inbound embedded DNS A record fixups according to aliases that apply to the A record address and outbound replies.
If the alias command is used with the sysopt ipsec pl-compatible command, a static route command statement must be added for each IP address specified in the alias command statement.
After changing or removing an alias command statement, use the clear xlate command.
There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The alias command has two uses which can be summarized in the following ways of reading an alias command statement:
- If the firewall gets a packet destined for the dnat_IP_address, send it to the foreign_IP_address.
- If the firewall gets a DNS packet returned to the firewall destined for foreign_network_address, alter the DNS packet to change the foreign network address to dnat_network_address.
The no alias command disables a previously set alias command statement. The show alias command displays alias command statements in the configuration. The clear alias command removes all alias commands from the configuration.
The alias command automatically interacts with DNS servers on the network to ensure that domain name access to the aliased IP address is handled transparently.
You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, alias 192.168.201.0 209.165.201.0 255.255.255.224 creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.
ActiveX Blocking does not occur when users access an IP address referenced by the alias command. ActiveX blocking is set with the filter activex command.
Usage Notes
To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the address from which traffic is permitted from. The following example illustrates this note.
alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255
static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255
access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-data
access-group acl_out in interface outsideAn alias is specified with the inside address 192.168.201.1 mapping to the foreign address 209.165.201.1.
Examples
In this example, the inside network contains the IP address 209.165.201.29, which on the Internet belongs to example.com. When inside clients try to access example.com, the packets do not go to the firewall because the client assumes 209.165.201.29 is on the local inside network. To correct this, use the alias command as follows:
alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224
show alias
alias 192.168.201.0 205.165.201.0 255.255.255.224When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal client's query would be altered by the firewall to be 192.168.201.29. If the firewall uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the firewall with SRC=209.165.201.2 and DST=209.165.201.29. The firewall translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.
In the next example, a web server is on the inside at 10.1.1.11 and a static command statement was created for it at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows.
www.example.com.
IN
A
209.165.201.11
The period at the end of the www.example.com. domain name must be included.
The alias command follows:
alias 10.1.1.11 209.165.201.11 255.255.255.255The firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.
The static command statement is as follows:
static (inside,outside) 209.165.201.11 10.1.1.11The access-list command statement you would expect to use follows:
access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnetBut with the alias command, use this command:
access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7You can test the DNS entry for the host with the following UNIX nslookup command:
nslookup -type=any www.example.com