|
PIX Alias命令的用法。
Understanding the alias
Command for the Cisco
Secure PIX Firewall
--------------------------------------------------------------------------------
The alias command has
two possible functions:
It can be used to do
"DNS Doctoring" of DNS
replies from an external
DNS server.
In DNS Doctoring, the
PIX "changes" the DNS
response from a DNS
server to be a different
IP address than the DNS
server actually answered
for a given name.
This process is used
when we want the actual
application call from
the internal client to
connect to an internal
server by its internal
IP address.
It can be used to do
"Destination NAT" (dnat)
of one destination IP
address to another IP
address.
In dnat, the PIX
"changes" the
destination IP of an
application call from
one IP address to
another IP address.
This process is used
when we want the actual
application call from
the internal client to
the server in a
perimeter (dmz) network
by its external IP
address. This does not
"doctor" the DNS
replies.
For example, if a host
sends a packet to
99.99.99.99, you can use
the alias command to
redirect traffic to
another address, such as
10.10.10.10. You can
also use this command to
prevent conflicts when
you have IP addresses on
a network that are the
same as those on the
Internet or another
intranet. For more
information, consult the
PIX documentation..
Hardware and Software
Versions
The information in this
document is based on the
software and hardware
versions below.
Cisco Secure PIX
Firewall Software
Releases 5.0.x and later
Translating an Internal
Address with DNS
Doctoring
In the first example,
the web server has an IP
address of 10.10.10.10,
and the global IP
address of this web
server is 99.99.99.99.
Note: The DNS server is
on the outside. Verify
that the DNS server
resolves your domain
name to the global IP
address of the web
server by issuing an
nslookup command. The
result of the nslookup
on the client PC should
be the internal IP
address of the server
(10.10.10.10), because
the DNS reply gets
doctored as it passes
through the PIX.
Also note that, for DNS
fixup to work properly,
proxy-arp has to be
disabled. If you are
using the alias command
for DNS fixup, disable
proxy-arp with the
following command after
the alias command has
been executed.
sysopt noproxyarp
internal_interface
Network Diagram
If we want the machine
with the IP address
10.10.10.25 to access
this web server by its
domain name (www.mydomain.com),
we need to implement the
alias command as
follows:
alias (inside)
10.10.10.10 99.99.99.99
255.255.255.255
!--- This command sets
up DNS Doctoring. It is
initiated from the
clients in
!--- the "inside"
network. It watches for
DNS replies that contain
!--- 99.99.99.99, then
replaces the 99.99.99.99
address with the
10.10.10.10
!--- address in the "DNS
reply" sent to the
client PC.
Next, a static
translation must be
created for the web
server, and we need to
give anyone on the
Internet access to the
web server on port 80
(http):
static(inside,outside)
99.99.99.99 10.10.10.10
netmask 255.255.255.255
!--- This command
creates a static
translation between the
web server's
!--- real address
10.10.10.10 to the
global IP address
99.99.99.99.
To grant permission for
access, you should use
access list commands, as
shown below.
access-list 101 permit
tcp any host 99.99.99.99
eq www
access-group 101 in
interface outside
!--- These commands
permit any outside user
to access the web server
on port 80.
If you prefer the older
syntax, you can use a
conduit command as
follows.
conduit permit tcp host
99.99.99.99 eq www any
!--- This command
permits any outside user
to access the web server
on port 80.
Translating a DMZ
Address with Destination
NAT
If the web server is on
the DMZ network of the
PIX, the alias command
must be used to do
Destination NAT (dnat).
In our example, the web
server on the DMZ has an
IP address of
192.168.100.10, and the
outside IP address for
this web server is
99.99.99.99. We want to
use dnat to translate
the IP address
99.99.99.99 to
192.168.100.10 on the
actual call to the
server; the DNS call and
reply will be unchanged.
In this example the DNS
response seen by the
internal client PC will
be the external
99.99.99.99 IP address,
since it is not DNS
doctored.
Network Diagram
In this example, we want
machines in the
10.10.10.0 /24 network
to access this web
server in the DMZ by its
external domain name ((www.mydomain.com
We need to use the alias
command to perform dnat:
alias(inside)
99.99.99.99
192.168.100.10
255.255.255.255
!--- This sets up the
Destination NAT. In this
example the DNS reply is
nott
!--- doctored by the PIX
because the external
address (99.99.99.99)
does not
!--- match the foreign
IP address in the alias
command (the second IP).
!--- But the call will
be "dnat-ed" because the
destination address
!--- in the call will
match the dnat IP
address in the alias
command (the first IP).
Note: The IP addresses
in the alias command are
in reverse order
compared with the
example above for DNS
Doctoring..
Next, a static
translation must be
created for the web
server, and we need to
give anyone on the
Internet access to the
web server on port 80
(http):
static(dmz,outside)
99.99.99.99
192.168.100.10 netmask
255.255.255.255
!--- This command
creates a static
translation between the
web server'ss
!--- real address
192.168.100.10 to the
global IP address
99.99.99.99.
To grant permission for
access, you should use
access list commands, as
shown below.
access-list 101 permit
tcp any host 99.99.99.99
eq www
access-group 101 in
interface outsidee
!--- These commands
permit any outside user
to access the web server
on port 80.
If you prefer the older
syntax, you can use a
conduit command as
follows.
conduit permit tcp host
99.99.99.99 eq www any
!--- This command
permits any outside user
to access the web server
on port 80..
Other Configuration
Notes
The interface in the
alias command should be
the "interface" that the
clients are calling
from.
If there are also
clients on the DMZ, you
could add another alias
for the DMZ interface
(this one would be DNS
doctoring).
For instance, let's say
that, in the example
above, you want other
clients on the DMZ to
use the external DNS but
to call the web server
by its DMZ address. To
do this, you would
create an additional
alias command, tied to
the DMZ interface, in
order to DNS doctor the
DNS reply packets.
alias (dmz)
192.168.100.10
99.99.99.99
255.255.255.255
!--- This command sets
up DNS Doctoring. It is
initiated from the
clients inn
!--- the "dmz" network.
It watches for DNS
replies that contain
!--- 99.99.99.99, then
replaces the 99.99.99.99
address with the
192.168.100.10
!--- address in the "DNS
reply" sent to the
client PC.
You can have multiple
alias commands tied to
different interfaces on
the same PIX. |
