In working around with internal website resolution vs external websites and DNS resolution my team has decided they'd like to have internal machines access DMZ resources by their external IP rather than the local DMZ address. I'm not quite positive this is the way to do things, but I figured I'd just check around to at least answer a question for myself.
We have a Pix 515 (that's going to be replaced soon by an ASA5510). We have our inside interface, a DMZ interface, and then the external interface. Inside clients are all PAT'd to a single external address. Internal IPs are in the range of 10.x.x.x using a 255.255.255.0 subnet. DMZ is on a 172.x.x.x with a 255.255.255.248 subnet. DMZ clients have a static mapping to an external IP like 208.x.x.x.
So here's the question. When an internal client attempts to connect to one of the DMZ computers using it's external address (208.x.x.x) there's no resolution, it just times out. I'm not quite positive why. I just don't think the Pix will support what they want to do, but I can't articulate why. I'm thinking that internal client's traffic gets PAT'd and is then on a 208.x.x.x address which then tries to connect to the DMZ computer's 208.x.x.x address and there's a problem there somewhere.
That makes sense Sushil, thank you. I think I didn't communicate very well what they want to happen. I'm thinking that addressing it in the Pix isn't where I should be looking, based off your answer though. So you have definitely steered me into looking in the correct direction. I think I'm going to have to sit down and just roadmap how DNS resolves a name and take it through step by step to get around to the answer that my boss is looking for.
Your answer solves the problem, but not in the way my boss is looking for =P
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :