Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
304
Views
0
Helpful
3
Replies

DMZ

Go to solution
srosenthal
Level 4
Level 4

‎10-11-2007 09:11 AM - edited ‎03-09-2019 07:00 PM

I have set up a DMZ on an ASA 5500. I can access the web server from the internet and cannot access it from the inside network.

The DMZ is using a 10 network and is static nat to a registered IP. The inside network is using a different 10 network. I cannot access the web server with either the 10 net address or the registered address. Shouldn't the inside users just be able to enter in the web site address and be able to get to the server?

I am doing the config using the ASDM program.

Any suggestions?

Thanx, Seth

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to srosenthal

‎10-11-2007 09:39 AM

I understand...

You will not be able to hit http://www.xxxxxx.com if it resolves to an outside ip address from inside the firewall. You will have to use dns doctoring (if your inside users use an external dns server) or use destination nat. The destination nat statment I wrote above will allow inside users to use the public.ip from inside the firewall, and the firewall will translate this to the private dmz address.

If www.xxxxx.com resolves to 1.2.3.4 and the ip address of the server in the dmz is 10.2.1.1 then you need....

static (dmz,inside) 1.2.3.4 10.2.1.1 netmask 255.255.255.255

View solution in original post

0 Helpful
3 Replies 3

Go to solution
acomiskey
Level 10
Level 10

‎10-11-2007 09:22 AM

To access by private ip address from the inside you need...

if 10.1.1.0/24 is your inside network...

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

To access them by their public ip addresses you need to do dns doctoring or destination nat like so...

static (dmz,inside) public.ip dmz.ip netmask 255.255.255.255

Please rate helpful posts.

0 Helpful

Go to solution
srosenthal
Level 4
Level 4
In response to acomiskey

‎10-11-2007 09:35 AM

There web site is a already in the public DNS as it is reachable from the outside by name.

They have a link on a public web page that would take them back to this web server in the DMZ. When they click on the link from behind the firewall it does not work. Only works from outside the firewall.

They also try to put in the www.xxxxxx.com name in their web browser from inside and it does not work.

Seth

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to srosenthal

‎10-11-2007 09:39 AM

I understand...

You will not be able to hit http://www.xxxxxx.com if it resolves to an outside ip address from inside the firewall. You will have to use dns doctoring (if your inside users use an external dns server) or use destination nat. The destination nat statment I wrote above will allow inside users to use the public.ip from inside the firewall, and the firewall will translate this to the private dmz address.

If www.xxxxx.com resolves to 1.2.3.4 and the ip address of the server in the dmz is 10.2.1.1 then you need....

static (dmz,inside) 1.2.3.4 10.2.1.1 netmask 255.255.255.255

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents