猪猪。。。这个问题我这里的解决了。。。在防火墙上用alias命令实现!
我这里的情况是:inside接口同时接了PC和WWW服务器,用static 做DNAT后外部可以访问到内部的WWW服务器;global命令给内部的PC做了向外的SNAT。。。然后就是内部机器用域名或者公网IP访问内部WWW服务器的事情。
有篇参考文章: 来自ultratechnology
http://www.ultratechnology.net/forums/show...&threadid=18063Cisco官方文档对命令的说明如下,慢慢看吧!
alias
Administer overlapping addresses with dual NAT. (Configuration mode.)
Configure with the command... Remove with the command...
alias [(if_name)] dnat_ip foreign_ip [netmask]
no alias [[(if_name)] dnat_ip foreign_ip [netmask]]
clear alias
Show command options Show command output
show alias
Displays the alias command statements in the configuration.
Syntax Description
dnat_ip
An IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network.
foreign_ip
IP address on the external network that has the same address as a host on the internal network.
if_name
The internal network interface name in which the foreign_ip overlaps.
netmask
Network mask applied to both IP addresses. Use 255.255.255.255 for host masks.
Usage Guidelines
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as, 209.165.201.30.
--------------------------------------------------------------------------------
Note For DNS fixup to work properly, proxy-arp has to be disabled. If you are using the alias command for DNS fixup, disable proxy-arp with the following command after the alias command has been executed:
sysopt noproxyarp internal_interface
--------------------------------------------------------------------------------
If the alias command is used with the sysopt ipsec pl-compatible command, a static route command statement must be added for each IP address specified in the alias command statement. There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command.
Use the no alias command to disable a previous set alias command statement. Use the show alias command to display alias command statements in the configuration. Use the clear alias command to remove all alias commands from the configuration. After changing or removing an alias command statement, use the clear xlate command.
The alias command changes the default behavior of the PIX Firewall in three ways:
•When receiving a packet coming in through the interface identified by if_name, destined for the address identified by dnat_ip, PIX Firewall sends it to the address identified by foreign_ip.
•When receiving a DNS A response, containing the address identified by foreign_ip, coming from a lower security interface, and destined for the host behind the inteface identified by if_name, PIX Firewall changes foreign_ip in the reply to dnat_ip. This can be turned off by using the command sysopt nodnsalias inbound.
•When receiving a DNS A response, containing the address identified by dnat_ip, coming from a DNS server behind the interface, if_name, and destined for a host behind the lower security interface, PIX Firewall changes dnat_ip address to foreign_ip. This can be turned off using the command sysopt nodnsalias outbound.
The alias command is applied on a per-interface basis, while the sysopt nodnsalias changes the behaviour for all interfaces. Also, note that addresses in the zone transfers made across the PIX Firewall, are not changed.
You can specify a net alias by using network addresses for the foreign_ip and dnat_ip IP addresses. For example, the alias 192.168.201.0 209.165.201.0 255.255.255.224 command creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.
Usage Notes
•To access an alias dnat_ip address with static and access-list command statements, specify the dnat_ip address in the access-list command statement as the address from which traffic is permitted from. The following example illustrates this note.
alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255
static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255
access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-data
access-group acl_out in interface outside
An alias is specified with the inside address 192.168.201.1 mapping to the foreign address 209.165.201.1.
•You can use the sysopt nodnsalias command to disable inbound embedded DNS A record fixups according to aliases that apply to the A record address and outbound replies.
Examples
In the following example, the inside network contains the IP address 209.165.201.29, which on the Internet belongs to example.com. When inside clients try to access example.com, the packets do not go to the PIX Firewall because the client assumes 209.165.201.29 is on the local inside network.
To correct this, use the alias command as follows:
alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224
show alias
alias 192.168.201.0 209.165.201.0 255.255.255.224
When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal client's query would be altered by the PIX Firewall to be 192.168.201.29. If the PIX Firewall uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the PIX Firewall with SRC=209.165.201.2 and DST=192.168.201.29. The PIX Firewall translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.
In the next example, a web server is on the inside at 10.1.1.11 and a static command statement was created for it at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:
www.example.com. IN A 209.165.201.11
The period at the end of the www.example.com. domain name must be included.
The alias command follows:
alias 10.1.1.11 209.165.201.11 255.255.255.255
PIX Firewall doctors the nameserver replies to 10.1.1.11 for inside clients to directly connect to the web server.
The static command statement is as follows:
static (inside,outside) 209.165.201.11 10.1.1.11
The access-list command statement you would expect to use follows:
access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnet
But with the alias command, use this command:
access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7
You can test the DNS entry for the host with the following UNIX nslookup command:
nslookup -type=any www.example.com
