Contacting DMZ server by external IP

Unanswered Question
Nov 4th, 2008
User Badges:

In working around with internal website resolution vs external websites and DNS resolution my team has decided they'd like to have internal machines access DMZ resources by their external IP rather than the local DMZ address. I'm not quite positive this is the way to do things, but I figured I'd just check around to at least answer a question for myself.


We have a Pix 515 (that's going to be replaced soon by an ASA5510). We have our inside interface, a DMZ interface, and then the external interface. Inside clients are all PAT'd to a single external address. Internal IPs are in the range of 10.x.x.x using a 255.255.255.0 subnet. DMZ is on a 172.x.x.x with a 255.255.255.248 subnet. DMZ clients have a static mapping to an external IP like 208.x.x.x.


So here's the question. When an internal client attempts to connect to one of the DMZ computers using it's external address (208.x.x.x) there's no resolution, it just times out. I'm not quite positive why. I just don't think the Pix will support what they want to do, but I can't articulate why. I'm thinking that internal client's traffic gets PAT'd and is then on a 208.x.x.x address which then tries to connect to the DMZ computer's 208.x.x.x address and there's a problem there somewhere.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
suschoud Tue, 11/04/2008 - 09:49
User Badges:
  • Gold, 750 points or more

". I just don't think the Pix will support what they want to do, but I can't articulate why"


PIX WILL support this.


confiuration needed :



static (dmz,inside) 208.x.x.x 172.x.x.x


Above creates a similar mapping which you already have for external to dmz.


Above mapping is from inside to dmz


inside--> initiates request for public ip.

request hits f/w


f/w uses static commands to xlate the pub ip to dmz server ip.


request rather then going to internet goes directly to pri. ip of server.


Do rate if helpful.



Regards,

Sushil

rywatters Tue, 11/04/2008 - 14:53
User Badges:

That makes sense Sushil, thank you. I think I didn't communicate very well what they want to happen. I'm thinking that addressing it in the Pix isn't where I should be looking, based off your answer though. So you have definitely steered me into looking in the correct direction. I think I'm going to have to sit down and just roadmap how DNS resolves a name and take it through step by step to get around to the answer that my boss is looking for.


Your answer solves the problem, but not in the way my boss is looking for =P



dhananjoy chowdhury Tue, 11/04/2008 - 09:57
User Badges:
  • Silver, 250 points or more

If you are using an external DNS server to resolve the IP address of your servers, use the DNS doctoring feature on the ASA.

When it does is it substitutes the Public IP of the server in the DNS reply packet with the internal IP of the server.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml


Hope this helps.

Actions

This Discussion