cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
5
Helpful
5
Replies

Help with DMZ access from inside with outside address translation

oneirishpollack
Level 1
Level 1

I have 3 campuses; each campus has a DNS server and firewall.

Each firewall has 3 zones: inside (10.5.5.0), outside (171.49.34.0), DMZ (10.5.29.0)

Campus 1: Is where the primary DNS server is. The other two campuses get their DNS replicated from this server.

We have a server in the DMZ of campus 1 that all internal and external users must get to.

The DNS entry for the server is 171.49.34.3 (replicated to the other campuses as well).

The IP assignment for the DMZ server is: 10.4.29.3 (private), 171.49.34.3 (public)

External users, including campuses 2 and 3, can access the server at 171.49.34.3.

Internal users at campus one can access the server using the 10.4.29.3 address, but cannot access it using the 171.49.34.3 address.

Since DNS is resolving the name to the 171.49.34.3 address, how do I facilitate this?

5 Replies 5

Hi,

It seems that what you're looking for is DNS doctoring, or DNS re-write?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Federico.

I have DNS re-write enabled, but doesn't it only effect DNS replies coming back from the outside interface? So if I have an inside user using a DNS server on the outside, it re-writes the reply when it comes back through the firewall.

What about a DNS reply that comes from an inside DNS server, but points to an address on my outside network? How can I have that re-written? The DNS reply never goes through the firewall. So ineffect I need an internal address to connect to a device on my external network.

Here is my client 10.5.5.20/24

Here is my server's mapped address 171.49.34.3/24

I need my inside client to be able to connect to that server that is in the DMZ  with a real address of 10.4.29.3 and  a mapped address on the outside of 171.49.34.3/24.

The firewall is dropping this packet because it will not allow packet redirection on the same interface correct?

So in the case of a inside client trying to reach a mapped outside address, how do you facilitate this?


static (dmz,inside) 171.49.34.3 10.4.29.3

In this way, your internal machine (10.5.5.20) will receive a response from DNS to access IP 171.49.34.3

When a packet intended to 171.49.34.3 reach the Firewall, the ASA will translate that address to 10.4.29.3 and you will be able to reach the server.

In other words, server 10.4.29.3 will look like 171.49.34.3 on the inside interface.

Federico.

Thanks, it worked perfectly.

Glad that it worked ;-)

Please rate if helpful, so other people could find the answer to this issue easily.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: