10-18-2007 05:08 AM - edited 03-11-2019 04:27 AM
Hi,
I know there are tons of threads like this, but all of them concerns going from inside to inside.
Now, our problem is that we want to be able visit www.something.com from computers on the inside interface. www.something.com translates to a public ip on the ASA which translates to a dmz ip address.
I know that the only way out of this is by using a static NAT command, I just can't figure out the syntax, or where to place it.
Hopefully someone out there can help :)
Thanks in advance,
Rasmus
Solved! Go to Solution.
10-18-2007 05:34 AM
You actually have 2 options. You can do dns doctoring or destination nat.
Destination Nat
www.something.com = 1.1.1.1
private dmz address = 10.1.1.1
static (dmz,inside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255
DNS Doctoring
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
10-30-2007 07:47 AM
You can still do destination NAT, just for a specific port.
Stealing Adams example :-)
www.something.com = 1.1.1.1
private dmz address = 10.1.1.1
static (dmz,inside) tcp 1.1.1.1 80 10.1.1.1 80 netmask 255.255.255.255
With that port you can browse to 1.1.1.1:80 and RDP to 10.1.1.1.
10-18-2007 05:29 AM
This should help. It worked for me with servers in the DMZ.
http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html
HTH and please rate.
10-18-2007 05:34 AM
You actually have 2 options. You can do dns doctoring or destination nat.
Destination Nat
www.something.com = 1.1.1.1
private dmz address = 10.1.1.1
static (dmz,inside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255
DNS Doctoring
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
10-18-2007 06:13 AM
I can't do DNS doctoring, 'cause we have internal DNS servers.
I'l go for destination NAT. Thanks a bunch!
BR,
Rasmus
10-24-2007 01:30 AM
Now, I've setup destination NAT like your example. The funny thing is that it only works for some of our dmz sites.
Should I add the "DNS rewite" features on these destination NAT rules?
Does it matter which dns servers the dmz servers uses?
Thanks in advance,
Rasmus
10-24-2007 05:31 AM
It should work for any server in the dmz. Do you want to post a clean config? Also, which destination nat statements are not working?
10-25-2007 12:54 AM
THe firewall has not been put live yet. I've only connected it a couple of nights, to check status on variuos issues. This makes it difficult to test new configurations quickly.
Anyway, I discovered that the web servers that had this problem, all used external DNS servers. I've corrected this, so that they use the internal dns servers (like the rest of the web servers that actually work).
Now, I haven't had time to test this yet, but would it make sense, that this might be the issue?
BR,
Rasmus
10-25-2007 05:24 AM
Not really. Just to recap, you are using destination nat to use the public ip addresses of the webservers from the inside right? If this is the case, the dns servers defined on the webservers should having nothing to do with it.
10-30-2007 07:42 AM
Hi,
I think I've solved it. The servers had multiple IP addresses, and Anti-Spoofing was enabled on the DMZ interface. I'll test this later.
In the meantime, I've discovered that now that I've made this destination-NAT-thing, I cannot connect with RemoteDesktop (or any other protocol) to the private dmz addresses. How do I do that?
I need to be able to browse the public dmz websites, but at the same time be able to rdp to the private address. Is this even possible? If so, how?
If not, what do everybody else do? I can't be the only one with this need...
Thanks,
Rasmus
10-30-2007 07:47 AM
You can still do destination NAT, just for a specific port.
Stealing Adams example :-)
www.something.com = 1.1.1.1
private dmz address = 10.1.1.1
static (dmz,inside) tcp 1.1.1.1 80 10.1.1.1 80 netmask 255.255.255.255
With that port you can browse to 1.1.1.1:80 and RDP to 10.1.1.1.
10-30-2007 08:04 AM
You are my hero :)
Thanks a bunch!
Rasmus
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: