Implementing email, webserver and DNS in a DMZ, cannot ping from DMZ and inside to natted IP and outside interface
I am implementing a DNS, a webserver and an email server in a DMZ. I mounted those services on a windows 2008 standard but my NS does not recognize external IP. I assume because i cannot ping form DMZ/inside to outside interface or natted IP. Someone can help. Here's my configuration:
Sadly I don't have a ASA running older software with me right now to test this out.
What you are wanting to achieve is not really ideal with the ASA. Also you wont be able to ping a remote interface IP address and I don't think there is any workaround for that. With remote interface I mean for example sending ICMP from a host behind "inside" to the "outside" interface which would make "outside" the remote interface in this case.
At this point only thing with regards to the server I can think of is really doing a NAT from "DMZ" to "DMZ"
I assume that this is the current NAT for the server towards "outside"
You also seem to have the following Dynamic PAT configuration
global (DMZ) 101 interface nat (DMZ) 101 0.0.0.0 0.0.0.0
So I presume when you send an ICMP from the server to its own public IP address the following would happen
ICMP Echo sent from server to the ASA
ASA matches the public IP address to the new Static NAT configured
ASA does UN-NAT for the destination IP address (public -> local)
ASA does NAT for the source address using the Dynamic PAT configuration (server IP -> DMZ interface IP)
ICMP Echo arrives at the server that sent the ICMP sourced from the ASA DMZ interface IP address.
Server sends a ICMP Echo reply back
I can really not give any guarantees that this would even work as I am not able to test this out right now.
Even if it worked its not an ideal solution as its playing around with the NAT a bit too much. Best situation would be if you could allocate a small public subnet for the DMZ segment itself so no NAT configurations would be needed.
With regards to connections from the "inside" network to the "DMZ" using the public IP address you would naturally require the NAT from "DMZ" to "inside". But this would also mean that "inside" users could only use the public IP address to connect after this and if you had any services that were using the local IP address of the DMZ server before this they would most likely fail
Journi, i wasn't very clear on my entire topology. I have a DNS and AD DC server on side network that serves all local network requests. DNS located on DMZ is to serve remote hosts requests for Website and entire email service (this includes inside hosts). That scenario is you are suggesting?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...