05-28-2014 04:44 PM - edited 03-11-2019 09:15 PM
I have a customer that is using FWSMs. There are 4 interfaces (inside 100 , outside 0 , dmz 50 , wireless 4 ).
So to give an example:
1) I connect to the wireless and get an address of 192.168.1.x. My DNS server is on the dmz and I can resolve addresses and surf the internet.
2) I want to get to a server owned by the customer so I type http://webapps.customer.com
3) The DNS gives the external address and the attempt is made.
4) I time out....
If I connect via an external source (like an iPhone using ATT network) I connect with no problem... I get the same external address.
Thoughts to look at? I've double checked everything and so far cannot find a good answer...
05-28-2014 05:23 PM
Can we see the access-lists?
Sounds like DNS doctoring is what you're looking for: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71704-dns-doctoring-2zones.html
05-29-2014 01:42 PM
I am assuming that 20x.xxx.xx.76 is the webserver IP?
And if you do an nslookup for webapps.customer.com you get that same public IP?
If that is the case, then that is the problem. You would need to do either DNS doctoring or add another NAT statement.
DNS doctoring is done by just adding the keyword DNS to the end of the relevant NAT statement:
static (web_dmz,OUTSIDE) 20X.XXX.XX.76 172.16.XXX.76 netmask 255.255.255.255 dns
the other option would be to translate the public IP which is ingress on the inside interface to the private IP which is egress on the DMZ interface. Something like the following:
static (inside,web_dmz) 172.16.XXX.76 20X.XXX.XX.76 netmask 255.255.255.255
I suggest trying the dns doctoring option first and then try the second option if it doesn't work.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide