Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
4
Helpful
3
Replies

Contacting DMZ server by external IP

rywatters
Level 1
Level 1

‎11-04-2008 09:29 AM - edited ‎03-11-2019 07:07 AM

In working around with internal website resolution vs external websites and DNS resolution my team has decided they'd like to have internal machines access DMZ resources by their external IP rather than the local DMZ address. I'm not quite positive this is the way to do things, but I figured I'd just check around to at least answer a question for myself.

We have a Pix 515 (that's going to be replaced soon by an ASA5510). We have our inside interface, a DMZ interface, and then the external interface. Inside clients are all PAT'd to a single external address. Internal IPs are in the range of 10.x.x.x using a 255.255.255.0 subnet. DMZ is on a 172.x.x.x with a 255.255.255.248 subnet. DMZ clients have a static mapping to an external IP like 208.x.x.x.

So here's the question. When an internal client attempts to connect to one of the DMZ computers using it's external address (208.x.x.x) there's no resolution, it just times out. I'm not quite positive why. I just don't think the Pix will support what they want to do, but I can't articulate why. I'm thinking that internal client's traffic gets PAT'd and is then on a 208.x.x.x address which then tries to connect to the DMZ computer's 208.x.x.x address and there's a problem there somewhere.

Labels:
0 Helpful
3 Replies 3

suschoud
Cisco Employee
Cisco Employee

‎11-04-2008 09:49 AM

". I just don't think the Pix will support what they want to do, but I can't articulate why"

PIX WILL support this.

confiuration needed :

static (dmz,inside) 208.x.x.x 172.x.x.x

Above creates a similar mapping which you already have for external to dmz.

Above mapping is from inside to dmz

inside--> initiates request for public ip.

request hits f/w

f/w uses static commands to xlate the pub ip to dmz server ip.

request rather then going to internet goes directly to pri. ip of server.

Do rate if helpful.

Regards,

Sushil

rywatters
Level 1
Level 1
In response to suschoud

‎11-04-2008 02:53 PM

That makes sense Sushil, thank you. I think I didn't communicate very well what they want to happen. I'm thinking that addressing it in the Pix isn't where I should be looking, based off your answer though. So you have definitely steered me into looking in the correct direction. I think I'm going to have to sit down and just roadmap how DNS resolves a name and take it through step by step to get around to the answer that my boss is looking for.

Your answer solves the problem, but not in the way my boss is looking for =P

0 Helpful

dhananjoy chowdhury
Level 5
Level 5

‎11-04-2008 09:57 AM

If you are using an external DNS server to resolve the IP address of your servers, use the DNS doctoring feature on the ASA.

When it does is it substitutes the Public IP of the server in the DNS reply packet with the internal IP of the server.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card