• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 563
  • Last Modified:

Access to web servers behind DMZ from LAN

Hi,

I have a Cisco 515 DMZ BUN.

I have 3 interfaces:

!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address ***.***.***.70 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.2.200 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 30.30.30.100 255.255.255.0
!

I have 2 web servers behind the DMZ with 2 static IPs mapped from the Outside interface.

I can access the web servers via their DMZ address from the LAN ie  30.30.30.201
But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.

Can anyone please help?



Kind Regards,

Daniel.
0
Daniel2040
Asked:
Daniel2040
  • 4
  • 2
1 Solution
 
Kieran_BurnsCommented:
Daniel - is this so that Internal clients can use the External name of the Server / web-site to access  it?

If so you need to set internal DNS to remap the name of the Server to use the Internal address

If your Server is called www.yourcompany.com you should have a DNS zone called yourcompany.com on your DNS Servers

Add a A host entry called www and use the IP address 30.30.30.201 (is that really your INTERNAL address?)

That should allow your internal clients to access the web-sites using the external name
0
 
Pete LongTechnical ConsultantCommented:
>>But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.


2 solutions

1. If you have windows servers - create DNS zonez that mach the pblic servers URLS and create recordas that map them to the IP addresses in the DMZ

e.g

your web server is www.yoursite.co.uk - create a forward lookup zone called yoursite.co.uk on your DNS server then create an A(host) record inside it called www. Then when your internal clients go to www.yoursite.co.uk they get directed to the private IP on your DMZ


2. Use DNS doctoring

Cisco DNS Doctoring

Note this replaced the alias command, you need a to write a Static the WRONG
way round and put the "dns" on the end of the command.

Syntax

static (inside,outside) {Inside IP} {Outside IP} netmask 255.255.255.255 dns


Here is a working example with the equivalent OLD alias command.


Static (inside,outside) 10.254.254.10 123.123.123.123 netmask 255.255.255.255 dns

alias (inside) 10.254.254.10 123.123.123.123 255.255.255.255



NB if you try using the OLD alias command you might find the PDM will stop working
0
 
Pete LongTechnical ConsultantCommented:
>>Kieran_Burns

sorry  - typing at the same time :)
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
Daniel2040Author Commented:
The DMZ interface is 30.30.30.***

We have over 100 domain names and growing so we do not really want to create a internal DNS server.

So it looks like i will need to do the DNS doctoring.

the 2 web servers DMZ addresses are 30.30.30.201 and 30.30.30.202
and their external WAN addresses are ***.***.***.81 and ***.***.***.82

so will the command be?

Static (inside,outside) 30.30.30.201 ***.***.***.81 netmask 255.255.255.255 dns
Static (inside,outside) 30.30.30.202 ***.***.***.82 netmask 255.255.255.255 dns

the existing rules are:

static (DMZ,outside) ***.***.***.81 30.30.30.201 netmask 255.255.255.255
static (DMZ,outside) ***.***.***.82 30.30.30.202 netmask 255.255.255.255


Kind Regards,

Daniel.
0
 
Pete LongTechnical ConsultantCommented:
Thats the one :)
0
 
Daniel2040Author Commented:
Thanks,

Worked a treat.



Daniel.
0
 
Pete LongTechnical ConsultantCommented:
Glad to help - thanQ
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now