Help with DMZ access from inside with outside address translation

Unanswered Question
Feb 16th, 2010

I have 3 campuses; each campus has a DNS server and firewall.

Each firewall has 3 zones: inside (10.5.5.0), outside (171.49.34.0), DMZ (10.5.29.0)

Campus 1: Is where the primary DNS server is. The other two campuses get their DNS replicated from this server.

We have a server in the DMZ of campus 1 that all internal and external users must get to.

The DNS entry for the server is 171.49.34.3 (replicated to the other campuses as well).

The IP assignment for the DMZ server is: 10.4.29.3 (private), 171.49.34.3 (public)

External users, including campuses 2 and 3, can access the server at 171.49.34.3.

Internal users at campus one can access the server using the 10.4.29.3 address, but cannot access it using the 171.49.34.3 address.

Since DNS is resolving the name to the 171.49.34.3 address, how do I facilitate this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
oneirishpollack Tue, 02/16/2010 - 13:30

I have DNS re-write enabled, but doesn't it only effect DNS replies coming back from the outside interface? So if I have an inside user using a DNS server on the outside, it re-writes the reply when it comes back through the firewall.

What about a DNS reply that comes from an inside DNS server, but points to an address on my outside network? How can I have that re-written? The DNS reply never goes through the firewall. So ineffect I need an internal address to connect to a device on my external network.

Here is my client 10.5.5.20/24

Here is my server's mapped address 171.49.34.3/24

I need my inside client to be able to connect to that server that is in the DMZ  with a real address of 10.4.29.3 and  a mapped address on the outside of 171.49.34.3/24.

The firewall is dropping this packet because it will not allow packet redirection on the same interface correct?

So in the case of a inside client trying to reach a mapped outside address, how do you facilitate this?


Federico Coto F... Tue, 02/16/2010 - 13:44

static (dmz,inside) 171.49.34.3 10.4.29.3

In this way, your internal machine (10.5.5.20) will receive a response from DNS to access IP 171.49.34.3

When a packet intended to 171.49.34.3 reach the Firewall, the ASA will translate that address to 10.4.29.3 and you will be able to reach the server.

In other words, server 10.4.29.3 will look like 171.49.34.3 on the inside interface.

Federico.

Federico Coto F... Wed, 02/17/2010 - 07:30

Glad that it worked ;-)

Please rate if helpful, so other people could find the answer to this issue easily.

Federico.

Actions

This Discussion