DMZ

Answered Question
Oct 11th, 2007

I have set up a DMZ on an ASA 5500. I can access the web server from the internet and cannot access it from the inside network.

The DMZ is using a 10 network and is static nat to a registered IP. The inside network is using a different 10 network. I cannot access the web server with either the 10 net address or the registered address. Shouldn't the inside users just be able to enter in the web site address and be able to get to the server?

I am doing the config using the ASDM program.

Any suggestions?

Thanx, Seth

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 2 months ago

I understand...

You will not be able to hit http://www.xxxxxx.com if it resolves to an outside ip address from inside the firewall. You will have to use dns doctoring (if your inside users use an external dns server) or use destination nat. The destination nat statment I wrote above will allow inside users to use the public.ip from inside the firewall, and the firewall will translate this to the private dmz address.

If www.xxxxx.com resolves to 1.2.3.4 and the ip address of the server in the dmz is 10.2.1.1 then you need....

static (dmz,inside) 1.2.3.4 10.2.1.1 netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Thu, 10/11/2007 - 09:22

To access by private ip address from the inside you need...

if 10.1.1.0/24 is your inside network...

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

To access them by their public ip addresses you need to do dns doctoring or destination nat like so...

static (dmz,inside) public.ip dmz.ip netmask 255.255.255.255

Please rate helpful posts.

srosenthal Thu, 10/11/2007 - 09:35

There web site is a already in the public DNS as it is reachable from the outside by name.

They have a link on a public web page that would take them back to this web server in the DMZ. When they click on the link from behind the firewall it does not work. Only works from outside the firewall.

They also try to put in the www.xxxxxx.com name in their web browser from inside and it does not work.

Seth

Correct Answer
acomiskey Thu, 10/11/2007 - 09:39

I understand...

You will not be able to hit http://www.xxxxxx.com if it resolves to an outside ip address from inside the firewall. You will have to use dns doctoring (if your inside users use an external dns server) or use destination nat. The destination nat statment I wrote above will allow inside users to use the public.ip from inside the firewall, and the firewall will translate this to the private dmz address.

If www.xxxxx.com resolves to 1.2.3.4 and the ip address of the server in the dmz is 10.2.1.1 then you need....

static (dmz,inside) 1.2.3.4 10.2.1.1 netmask 255.255.255.255

Actions

This Discussion