I finally figured out, albeit late, on how to do the old “PIX” ‘alias’ command on a Cisco ASA.
For those that remembered, the ‘ALIAS’ command would basically do a DNS rewrite. If you have a webserver on your DMZ with a static ip on an outside address, your internal users wouldn’t be able to access it. DNS would return your outside IP, but because the address is on the outside interface, your users are coming in on an inside interface, and it wouldn’t access it.
So, you would use the ‘alias’ command to basically tell the PIX to “rewrite” the DNS response address to the DMZ address. And viola! Access to your DMZ systems but still using the external IP.
So, how do you do this on a Cisco ASA?
Well, first and foremost, you need to be running DNS inspection on your global inspection policies (which is on by default)
Once that is done, it is *SUPER* easy. Let’s say you have the following STATIC entry in your ASA
static (DMZ,outside) 18.104.22.168 172.16.1.1 netmask 255.255.255.255
You just add the keyword ‘dns’ at the end:
static (DMZ,outside) 22.214.171.124 172.16.1.1 netmask 255.255.255.255 dns
So long as your DNS queries go through this same firewall (that is critically important), then the ASA will re-write the DNS response to the IP that your STATIC entry was mapped to.
Brilliant! Like I said…. this is old news, but I just learned it. Go here for more detail: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml