Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5540 internal website access problem

I have a cisco ASA 5540 firewall with a DMZ segment, Inside segment & outside (Internet segment).

The web server with website domain is in DMZ segment NATted with public IP on Internet segment.

I have allowed full internet access to a monitoring workstation in Inside segment as well one in DMZ segment, and I can access all the websites properly with domain/IP.

My problem is, I can't access hosted on web server in DMZ segment from both the workstations in DMZ as well Inside segments of firewall. Whereas same is accessible from outside Internet.

Kindly help me to resolve this problem.


Re: ASA 5540 internal website access problem

Change your internal DNS to point to the webserver DMZ IP address.


Community Member

Re: ASA 5540 internal website access problem

Dear Andrew,

tks for r support, but the problem is not resolved then also because actually, the inside system is unable to access the website hosted on dmz segment using the public IP path.

please let me know the config required to give access to inside users to access internal website using Web servers Natted public IP.

Re: ASA 5540 internal website access problem

If you have an internal DNS server, create a pointer/a record pointing the URL to the internal DMZ IP address.

If you do not have an internal DNS server, then add a static NAT entry for the DMZ.

Community Member

Re: ASA 5540 internal website access problem

U cant access public ip nated to dmz server from inside or another interface.

for resolve this problem, u need point internal users or monitor server to dmz ip address of the server, create a static for traslate inside to dmz and aply ACL for allow HTTP access.

if u need access a website hosted by "hostname" and no by "IP Address"

u need create a "internal" DNS server.

this provide resolution for domains served by DMZ server's pointing A zones to DMZ ip's.

DNS Server example:

*info: inside user's:

*info: dmz server's:

*info: dmz www server: ->

this DNS Server need be DIFERENT for Interner DNS Resolution.

Other solution if u cant mount a internal dns server is, add a line to windows users machine's.



Add at follow last line:

With this u provide name resolution only to especific's machines.

CreatePlease to create content