11-04-2008 09:29 AM - edited 03-11-2019 07:07 AM
In working around with internal website resolution vs external websites and DNS resolution my team has decided they'd like to have internal machines access DMZ resources by their external IP rather than the local DMZ address. I'm not quite positive this is the way to do things, but I figured I'd just check around to at least answer a question for myself.
We have a Pix 515 (that's going to be replaced soon by an ASA5510). We have our inside interface, a DMZ interface, and then the external interface. Inside clients are all PAT'd to a single external address. Internal IPs are in the range of 10.x.x.x using a 255.255.255.0 subnet. DMZ is on a 172.x.x.x with a 255.255.255.248 subnet. DMZ clients have a static mapping to an external IP like 208.x.x.x.
So here's the question. When an internal client attempts to connect to one of the DMZ computers using it's external address (208.x.x.x) there's no resolution, it just times out. I'm not quite positive why. I just don't think the Pix will support what they want to do, but I can't articulate why. I'm thinking that internal client's traffic gets PAT'd and is then on a 208.x.x.x address which then tries to connect to the DMZ computer's 208.x.x.x address and there's a problem there somewhere.
11-04-2008 09:49 AM
". I just don't think the Pix will support what they want to do, but I can't articulate why"
PIX WILL support this.
confiuration needed :
static (dmz,inside) 208.x.x.x 172.x.x.x
Above creates a similar mapping which you already have for external to dmz.
Above mapping is from inside to dmz
inside--> initiates request for public ip.
request hits f/w
f/w uses static commands to xlate the pub ip to dmz server ip.
request rather then going to internet goes directly to pri. ip of server.
Do rate if helpful.
Regards,
Sushil
11-04-2008 02:53 PM
That makes sense Sushil, thank you. I think I didn't communicate very well what they want to happen. I'm thinking that addressing it in the Pix isn't where I should be looking, based off your answer though. So you have definitely steered me into looking in the correct direction. I think I'm going to have to sit down and just roadmap how DNS resolves a name and take it through step by step to get around to the answer that my boss is looking for.
Your answer solves the problem, but not in the way my boss is looking for =P
11-04-2008 09:57 AM
If you are using an external DNS server to resolve the IP address of your servers, use the DNS doctoring feature on the ASA.
When it does is it substitutes the Public IP of the server in the DNS reply packet with the internal IP of the server.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide