Help with DMZ access from inside with outside address translation

Unanswered Question
Feb 16th, 2010
User Badges:

I have 3 campuses; each campus has a DNS server and firewall.

Each firewall has 3 zones: inside (, outside (, DMZ (

Campus 1: Is where the primary DNS server is. The other two campuses get their DNS replicated from this server.

We have a server in the DMZ of campus 1 that all internal and external users must get to.

The DNS entry for the server is (replicated to the other campuses as well).

The IP assignment for the DMZ server is: (private), (public)

External users, including campuses 2 and 3, can access the server at

Internal users at campus one can access the server using the address, but cannot access it using the address.

Since DNS is resolving the name to the address, how do I facilitate this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
oneirishpollack Tue, 02/16/2010 - 13:30
User Badges:

I have DNS re-write enabled, but doesn't it only effect DNS replies coming back from the outside interface? So if I have an inside user using a DNS server on the outside, it re-writes the reply when it comes back through the firewall.

What about a DNS reply that comes from an inside DNS server, but points to an address on my outside network? How can I have that re-written? The DNS reply never goes through the firewall. So ineffect I need an internal address to connect to a device on my external network.

Here is my client

Here is my server's mapped address

I need my inside client to be able to connect to that server that is in the DMZ  with a real address of and  a mapped address on the outside of

The firewall is dropping this packet because it will not allow packet redirection on the same interface correct?

So in the case of a inside client trying to reach a mapped outside address, how do you facilitate this?

Federico Coto F... Tue, 02/16/2010 - 13:44
User Badges:
  • Green, 3000 points or more

static (dmz,inside)

In this way, your internal machine ( will receive a response from DNS to access IP

When a packet intended to reach the Firewall, the ASA will translate that address to and you will be able to reach the server.

In other words, server will look like on the inside interface.


Federico Coto F... Wed, 02/17/2010 - 07:30
User Badges:
  • Green, 3000 points or more

Glad that it worked ;-)

Please rate if helpful, so other people could find the answer to this issue easily.



This Discussion