10-11-2007 09:11 AM - edited 03-09-2019 07:00 PM
I have set up a DMZ on an ASA 5500. I can access the web server from the internet and cannot access it from the inside network.
The DMZ is using a 10 network and is static nat to a registered IP. The inside network is using a different 10 network. I cannot access the web server with either the 10 net address or the registered address. Shouldn't the inside users just be able to enter in the web site address and be able to get to the server?
I am doing the config using the ASDM program.
Any suggestions?
Thanx, Seth
Solved! Go to Solution.
10-11-2007 09:39 AM
I understand...
You will not be able to hit http://www.xxxxxx.com if it resolves to an outside ip address from inside the firewall. You will have to use dns doctoring (if your inside users use an external dns server) or use destination nat. The destination nat statment I wrote above will allow inside users to use the public.ip from inside the firewall, and the firewall will translate this to the private dmz address.
If www.xxxxx.com resolves to 1.2.3.4 and the ip address of the server in the dmz is 10.2.1.1 then you need....
static (dmz,inside) 1.2.3.4 10.2.1.1 netmask 255.255.255.255
10-11-2007 09:22 AM
To access by private ip address from the inside you need...
if 10.1.1.0/24 is your inside network...
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
To access them by their public ip addresses you need to do dns doctoring or destination nat like so...
static (dmz,inside) public.ip dmz.ip netmask 255.255.255.255
Please rate helpful posts.
10-11-2007 09:35 AM
There web site is a already in the public DNS as it is reachable from the outside by name.
They have a link on a public web page that would take them back to this web server in the DMZ. When they click on the link from behind the firewall it does not work. Only works from outside the firewall.
They also try to put in the www.xxxxxx.com name in their web browser from inside and it does not work.
Seth
10-11-2007 09:39 AM
I understand...
You will not be able to hit http://www.xxxxxx.com if it resolves to an outside ip address from inside the firewall. You will have to use dns doctoring (if your inside users use an external dns server) or use destination nat. The destination nat statment I wrote above will allow inside users to use the public.ip from inside the firewall, and the firewall will translate this to the private dmz address.
If www.xxxxx.com resolves to 1.2.3.4 and the ip address of the server in the dmz is 10.2.1.1 then you need....
static (dmz,inside) 1.2.3.4 10.2.1.1 netmask 255.255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide