Access Public Website on Internal Network

Unanswered Question
Mar 4th, 2008

I have a client who has a particular server running some very proprietary software. In order for this software to work, the client must access the server's web page (port 80) via its public IP address. He has to do this from a computer that's actually on the same internal network as the server. This seems to be causing problems, as the ASA5505 they have does not, I believe, like allowing traffic out only to have it come right back in again.

Is there some way I can get this to work? Everything is being done via port 80, but the need for the page to be accessed via the public IP address is an odd one. The server has its own public IP address which is static (inside,outside) mapped, so it's not using the public IP of the ASA itself for internet-originated traffic.

Any help would be greatly appreciated. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Tue, 03/04/2008 - 14:07

Here are some solutions:

1- setup dns on the External network and

enable DNS doctoring on the ASA. This solution

seems to be an excessive solution,

2- Buy a checkpoint firewall. Checkpoint will

let you do this without any DNS,

CCIE Security

jbrunsting Tue, 03/04/2008 - 14:10

Considering they just purchased these three ASA5505s to replace their SonicWalls, I don't think they'd be happy to buy yet another new firewall. As for setting up dns on the external network, what do you mean? Just point the ASA at an external DNS server, or something else?

jbrunsting Tue, 03/04/2008 - 14:11

To be honest, I've never even heard of dns doctoring. I guess I'm going to be reading for a little while!

JORGE RODRIGUEZ Tue, 03/04/2008 - 14:18

Jackson, go over the link I provided , it will be failrly simple to implement once you get the idea from the doc.



Fernando_Meza Tue, 03/04/2008 - 14:17


it sounds like you need to use DNS doctoring. If I understood correctly the web server physical IP address is private, however access from the Internet points to a public IP address which is statically NATed on the ASA correct ..? When that application access the web server .. does it use host name ..i.e .. or does it use the IP address ..? if it use the host name .. then you could add an entry on the hosts file pointing i.e X.X.X.X where X.X.X.X is the PRIVATE ip address of the server. Another option is using DNS doctoring. This is done by adding dns at the end of the static(inside,outside) ... you have configured for that server. Note that in order for the last option to work you need to make sure that the dns server resolving is outside of the firewall i.e any public DNS server.

I hope it helps .. please rate it if it does !!!


This Discussion