cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
512
Views
3
Helpful
10
Replies

Visiting website on DMZ from inside using public dns

Hi,

I know there are tons of threads like this, but all of them concerns going from inside to inside.

Now, our problem is that we want to be able visit www.something.com from computers on the inside interface. www.something.com translates to a public ip on the ASA which translates to a dmz ip address.

I know that the only way out of this is by using a static NAT command, I just can't figure out the syntax, or where to place it.

Hopefully someone out there can help :)

Thanks in advance,

Rasmus

2 Accepted Solutions

Accepted Solutions

acomiskey
Level 10
Level 10

You actually have 2 options. You can do dns doctoring or destination nat.

Destination Nat

www.something.com = 1.1.1.1

private dmz address = 10.1.1.1

static (dmz,inside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255

DNS Doctoring

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

View solution in original post

You can still do destination NAT, just for a specific port.

Stealing Adams example :-)

www.something.com = 1.1.1.1

private dmz address = 10.1.1.1

static (dmz,inside) tcp 1.1.1.1 80 10.1.1.1 80 netmask 255.255.255.255

With that port you can browse to 1.1.1.1:80 and RDP to 10.1.1.1.

View solution in original post

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

This should help. It worked for me with servers in the DMZ.

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

HTH and please rate.

acomiskey
Level 10
Level 10

You actually have 2 options. You can do dns doctoring or destination nat.

Destination Nat

www.something.com = 1.1.1.1

private dmz address = 10.1.1.1

static (dmz,inside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255

DNS Doctoring

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

I can't do DNS doctoring, 'cause we have internal DNS servers.

I'l go for destination NAT. Thanks a bunch!

BR,

Rasmus

Now, I've setup destination NAT like your example. The funny thing is that it only works for some of our dmz sites.

Should I add the "DNS rewite" features on these destination NAT rules?

Does it matter which dns servers the dmz servers uses?

Thanks in advance,

Rasmus

It should work for any server in the dmz. Do you want to post a clean config? Also, which destination nat statements are not working?

THe firewall has not been put live yet. I've only connected it a couple of nights, to check status on variuos issues. This makes it difficult to test new configurations quickly.

Anyway, I discovered that the web servers that had this problem, all used external DNS servers. I've corrected this, so that they use the internal dns servers (like the rest of the web servers that actually work).

Now, I haven't had time to test this yet, but would it make sense, that this might be the issue?

BR,

Rasmus

Not really. Just to recap, you are using destination nat to use the public ip addresses of the webservers from the inside right? If this is the case, the dns servers defined on the webservers should having nothing to do with it.

Hi,

I think I've solved it. The servers had multiple IP addresses, and Anti-Spoofing was enabled on the DMZ interface. I'll test this later.

In the meantime, I've discovered that now that I've made this destination-NAT-thing, I cannot connect with RemoteDesktop (or any other protocol) to the private dmz addresses. How do I do that?

I need to be able to browse the public dmz websites, but at the same time be able to rdp to the private address. Is this even possible? If so, how?

If not, what do everybody else do? I can't be the only one with this need...

Thanks,

Rasmus

You can still do destination NAT, just for a specific port.

Stealing Adams example :-)

www.something.com = 1.1.1.1

private dmz address = 10.1.1.1

static (dmz,inside) tcp 1.1.1.1 80 10.1.1.1 80 netmask 255.255.255.255

With that port you can browse to 1.1.1.1:80 and RDP to 10.1.1.1.

You are my hero :)

Thanks a bunch!

Rasmus

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: