Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Alias-ed DMZ server not accessible via its private address

Hi all.

My Customer has moved a public server from the inside to the dmz and want to be able to access the server using its domain name.

Here's the config I have proposed:

ip address inside 192.168.204.1 255.255.255.0

ip address dmz 192.168.210.3 255.255.255.0

!

global (dmz) 1 192.168.210.4 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!

alias (inside) A.B.C.100 192.168.210.100 255.255.255.255

Well, I have problem now.

The Customer is happy to access the dmz web server using the domain name, but still wants to manage it (Terminal Services) using its *private* address, as they used to do when the server was in the inside.

It seems this config does not allow them to do so. Is this an expected behaviour? What can I do to fulfill the requirement?

Thank you

Michele

5 REPLIES
New Member

Re: Alias-ed DMZ server not accessible via its private address

Hi Michele,

Please give some more information on this?are you using NAT or PAT for Translation.Which IP address is using when accessing the DMZ zone?

If the user wants to access the DMZ from inside network add this command to the configuration

static(inside,dmz) 192.168.210 255.255.255.0 192.168.204.1 255.255.255.0 0 0

Then clear the translation and try it out

Regards

Kiruba

New Member

Re: Alias-ed DMZ server not accessible via its private address

Hi Kiruba.

- First of all, thank you for making me realize I should have used a PAT statement to access the DMZ: that was my intention, so I'm going to change the global statement to the following:

global (dmz) 1 192.168.210.4 netmask 255.255.255.255

- Second, according to my new config, may I ask you to re-write the static command you suggested to me? I don't see the last octet of the first address.

- Third: will the config work if I remove the nat/global and use nat 0?

Thank you very much

Michele

New Member

Re: Alias-ed DMZ server not accessible via its private address

Hi Michele,

static(inside,dmz) 192.168.210 255.255.255.0 192.168.204.0 255.255.255.0

0 0

This 0 0 is for [max_conns [em_limit]] [norandomseq]]

Refer this link for more details on static command

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44cmd.htm#xtocid55

Regards

Kiruba

New Member

Re: Alias-ed DMZ server not accessible via its private address

Hi Michele,

Before doing this for all your insidenetwork you could verify with a single machine.

For Example:

static(inside,dmz) 192.168.210 255.255.255.255 192.168.204.10 255.255.255.255 0 0

Apply this Static command and do a "clear xlate"

Regards

Kiruba

New Member

Re: Alias-ed DMZ server not accessible via its private address

Kiruba,

I can't get it working yet :'-(

Please, find my config attached. Customer is not yet able to reach the DMZ server using its private address.

!

access-list dmz permit icmp any any

access-list dmz permit udp host 192.168.210.100 any eq domain

access-list dmz permit tcp host 192.168.210.100 host 192.168.204.11 eq smtp

access-list dmz permit tcp host 192.168.210.100 any eq smtp

!

ip address outside A.B.C.126 255.255.255.128

ip address inside 192.168.204.1 255.255.255.0

ip address dmz 192.168.210.3 255.255.255.0

!

global (outside) 1 A.B.C.124 netmask 255.255.255.128

global (dmz) 1 192.168.210.4 netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

!

!Destination NAT (DNS server is external)

!Users in the inside should be able reach the DMZ server using its domain

!name

alias (inside) A.B.C.100 192.168.210.100 255.255.255.255

!

!Server in the DMZ should be able to reference an smtp server

!in the inside using its domain name

alias (dmz) 192.168.204.11 A.B.C.11 255.255.255.255

!

!DMZ server should be reachable from the outside

static (dmz,outside) A.B.C.100 192.168.210.100 netmask 255.255.255.255 0 0

!

!Internal SMTP server should be reachable from the outside

static (inside,outside) A.B.C.11 192.168.204.11 netmask 255.255.255.255 0 0

!

!DMZ server should reach the internal SMTP server

static (inside,dmz) 192.168.204.11 192.168.204.11 netmask 255.255.255.255 0 0

!

! Kiruba’s command applied to internal net 192.168.195.0/24

static (inside,dmz) 192.168.210.0 192.168.195.0 netmask 255.255.255.0 0 0

sh route

inside 172.22.0.0 255.255.0.0 192.168.204.3 1 RIP

inside 192.168.195.0 255.255.255.0 192.168.204.3 1 RIP

inside 192.168.199.0 255.255.255.0 192.168.204.3 1 RIP

inside 192.168.203.0 255.255.255.0 192.168.204.3 1 RIP

inside 192.168.204.0 255.255.255.0 192.168.204.1 1 CONNECT static

inside 192.168.205.0 255.255.255.0 192.168.204.3 1 RIP

inside 192.168.206.0 255.255.255.0 192.168.204.3 2 RIP

dmz 192.168.210.0 255.255.255.0 192.168.210.3 1 CONNECT static

Thank you very much for you support!

Michele

293
Views
5
Helpful
5
Replies
CreatePlease to create content