Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1637
Views
0
Helpful
6
Replies

DMZ server access from inside using (public) DNS name

mvsheik123
Level 7
Level 7

‎10-24-2010 06:30 AM - edited ‎03-11-2019 11:59 AM

Hello,

Citrix server is in DMZ (off of ASA) and its pvt ip being translated to public IP for external user connectivity . Everything works from outside (ex: http/s:haccess.xyz.com, ping to haccess.xyz.com etc) . Now, the internal user residing behind ASA and Nat'd thru ASA to hit internet also wants to access the server from internal PC using the DNS name: http/s:haccess.xyz.com. The DNS converts the http/s:haccess.xyz.com to public IP (70.34.20.X) and sending to internet when request initiate from Internal user. Using Private Ip to access the DMZ server from internal subnets works.How can I make this to work from internal as well without posing any security risk.

TIA

MS

Labels:
0 Helpful
6 Replies 6

pskipton01
Level 1
Level 1

‎10-24-2010 08:51 AM

I am having the same issues, see the information in my post it may assist or maybe we will get an answer later..

0 Helpful

Denis Spichkin
Level 1
Level 1

‎10-24-2010 12:09 PM

you can use dns doctoring

static (inside,outside) 70.34.20.X y.y.y.y netmask 255.255.255.255 dns

full description

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

0 Helpful

pskipton01
Level 1
Level 1
In response to Denis Spichkin

‎10-24-2010 01:51 PM

That works fine with prior to 8.3 or even further back but what would be required for 8.

3(1)???

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to pskipton01

‎10-24-2010 10:13 PM

Perry,

Take a look at the post, we answered your Question already, if you have any doubts please feel free to post them.

Cheers

Mike

Mike
0 Helpful

mvsheik123
Level 7
Level 7
In response to Maykol Rojas

‎11-23-2010 11:08 AM

Hi Denis,

Thank you for the reply. I went thru the DNS doctoring doc and 2 (simple) questions;-).

1. The example in the doc stating : In this case, the client at 192.168.100.2 wants to use the server.example.com URL to access the WWW server at 10.10.10.10. DNS services for the client are provided by the external DNS server at 172.22.1.161.

In my case the public DNS record for the server (ctrix.test.com) hosted by outside DNS, but the internal client DNS is our interal DNS (with pvt IP) and that DNS resolves to public IPs. In this case DNS doctoring works as well?

2. I do not see the DNS inspection enabled at this time (ASA 5510 -7.2(4)) or not seeing any command applied which disabled the DNS. what would be the effect in enabling the DNS inspection- with the same procedure listed in the doc. The config has setting the 'message-length max 512'. It may be default value, but just wanted to check the config does not cause any issues.

TIA

MS

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to mvsheik123

‎11-23-2010 11:32 AM

Hello

On the static that you have for your server (DMZ, outside) instead of outside use Inside. The static statement would be the same. The example shown at the top of the service request was thought based on a DNS located on the outside world. In your case the DNS server is on the inside.

Please add the same static that you have for the outside but instead of outside put the word Inside.

Mike.

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card