Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ

I have set up a DMZ on an ASA 5500. I can access the web server from the internet and cannot access it from the inside network.

The DMZ is using a 10 network and is static nat to a registered IP. The inside network is using a different 10 network. I cannot access the web server with either the 10 net address or the registered address. Shouldn't the inside users just be able to enter in the web site address and be able to get to the server?

I am doing the config using the ASDM program.

Any suggestions?

Thanx, Seth

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: DMZ

I understand...

You will not be able to hit http://www.xxxxxx.com if it resolves to an outside ip address from inside the firewall. You will have to use dns doctoring (if your inside users use an external dns server) or use destination nat. The destination nat statment I wrote above will allow inside users to use the public.ip from inside the firewall, and the firewall will translate this to the private dmz address.

If www.xxxxx.com resolves to 1.2.3.4 and the ip address of the server in the dmz is 10.2.1.1 then you need....

static (dmz,inside) 1.2.3.4 10.2.1.1 netmask 255.255.255.255

3 REPLIES
Green

Re: DMZ

To access by private ip address from the inside you need...

if 10.1.1.0/24 is your inside network...

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

To access them by their public ip addresses you need to do dns doctoring or destination nat like so...

static (dmz,inside) public.ip dmz.ip netmask 255.255.255.255

Please rate helpful posts.

New Member

Re: DMZ

There web site is a already in the public DNS as it is reachable from the outside by name.

They have a link on a public web page that would take them back to this web server in the DMZ. When they click on the link from behind the firewall it does not work. Only works from outside the firewall.

They also try to put in the www.xxxxxx.com name in their web browser from inside and it does not work.

Seth

Green

Re: DMZ

I understand...

You will not be able to hit http://www.xxxxxx.com if it resolves to an outside ip address from inside the firewall. You will have to use dns doctoring (if your inside users use an external dns server) or use destination nat. The destination nat statment I wrote above will allow inside users to use the public.ip from inside the firewall, and the firewall will translate this to the private dmz address.

If www.xxxxx.com resolves to 1.2.3.4 and the ip address of the server in the dmz is 10.2.1.1 then you need....

static (dmz,inside) 1.2.3.4 10.2.1.1 netmask 255.255.255.255

112
Views
0
Helpful
3
Replies
CreatePlease login to create content