Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Visiting website on DMZ from inside using public dns

Hi,

I know there are tons of threads like this, but all of them concerns going from inside to inside.

Now, our problem is that we want to be able visit www.something.com from computers on the inside interface. www.something.com translates to a public ip on the ASA which translates to a dmz ip address.

I know that the only way out of this is by using a static NAT command, I just can't figure out the syntax, or where to place it.

Hopefully someone out there can help :)

Thanks in advance,

Rasmus

2 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Re: Visiting website on DMZ from inside using public dns

You actually have 2 options. You can do dns doctoring or destination nat.

Destination Nat

www.something.com = 1.1.1.1

private dmz address = 10.1.1.1

static (dmz,inside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255

DNS Doctoring

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Re: Visiting website on DMZ from inside using public dns

You can still do destination NAT, just for a specific port.

Stealing Adams example :-)

www.something.com = 1.1.1.1

private dmz address = 10.1.1.1

static (dmz,inside) tcp 1.1.1.1 80 10.1.1.1 80 netmask 255.255.255.255

With that port you can browse to 1.1.1.1:80 and RDP to 10.1.1.1.

10 REPLIES

Re: Visiting website on DMZ from inside using public dns

This should help. It worked for me with servers in the DMZ.

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

HTH and please rate.

Green

Re: Visiting website on DMZ from inside using public dns

You actually have 2 options. You can do dns doctoring or destination nat.

Destination Nat

www.something.com = 1.1.1.1

private dmz address = 10.1.1.1

static (dmz,inside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255

DNS Doctoring

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

New Member

Re: Visiting website on DMZ from inside using public dns

I can't do DNS doctoring, 'cause we have internal DNS servers.

I'l go for destination NAT. Thanks a bunch!

BR,

Rasmus

New Member

Re: Visiting website on DMZ from inside using public dns

Now, I've setup destination NAT like your example. The funny thing is that it only works for some of our dmz sites.

Should I add the "DNS rewite" features on these destination NAT rules?

Does it matter which dns servers the dmz servers uses?

Thanks in advance,

Rasmus

Green

Re: Visiting website on DMZ from inside using public dns

It should work for any server in the dmz. Do you want to post a clean config? Also, which destination nat statements are not working?

New Member

Re: Visiting website on DMZ from inside using public dns

THe firewall has not been put live yet. I've only connected it a couple of nights, to check status on variuos issues. This makes it difficult to test new configurations quickly.

Anyway, I discovered that the web servers that had this problem, all used external DNS servers. I've corrected this, so that they use the internal dns servers (like the rest of the web servers that actually work).

Now, I haven't had time to test this yet, but would it make sense, that this might be the issue?

BR,

Rasmus

Green

Re: Visiting website on DMZ from inside using public dns

Not really. Just to recap, you are using destination nat to use the public ip addresses of the webservers from the inside right? If this is the case, the dns servers defined on the webservers should having nothing to do with it.

New Member

Re: Visiting website on DMZ from inside using public dns

Hi,

I think I've solved it. The servers had multiple IP addresses, and Anti-Spoofing was enabled on the DMZ interface. I'll test this later.

In the meantime, I've discovered that now that I've made this destination-NAT-thing, I cannot connect with RemoteDesktop (or any other protocol) to the private dmz addresses. How do I do that?

I need to be able to browse the public dmz websites, but at the same time be able to rdp to the private address. Is this even possible? If so, how?

If not, what do everybody else do? I can't be the only one with this need...

Thanks,

Rasmus

Re: Visiting website on DMZ from inside using public dns

You can still do destination NAT, just for a specific port.

Stealing Adams example :-)

www.something.com = 1.1.1.1

private dmz address = 10.1.1.1

static (dmz,inside) tcp 1.1.1.1 80 10.1.1.1 80 netmask 255.255.255.255

With that port you can browse to 1.1.1.1:80 and RDP to 10.1.1.1.

New Member

Re: Visiting website on DMZ from inside using public dns

You are my hero :)

Thanks a bunch!

Rasmus

158
Views
3
Helpful
10
Replies
CreatePlease to create content