Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Access to web servers behind DMZ from LAN

Posted on 2008-06-19
7
Medium Priority
?
559 Views
Last Modified: 2013-11-16
Hi,

I have a Cisco 515 DMZ BUN.

I have 3 interfaces:

!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address ***.***.***.70 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.2.200 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 30.30.30.100 255.255.255.0
!

I have 2 web servers behind the DMZ with 2 static IPs mapped from the Outside interface.

I can access the web servers via their DMZ address from the LAN ie  30.30.30.201
But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.

Can anyone please help?



Kind Regards,

Daniel.
0
Comment
Question by:Daniel2040
  • 4
  • 2
7 Comments
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 21820918
Daniel - is this so that Internal clients can use the External name of the Server / web-site to access  it?

If so you need to set internal DNS to remap the name of the Server to use the Internal address

If your Server is called www.yourcompany.com you should have a DNS zone called yourcompany.com on your DNS Servers

Add a A host entry called www and use the IP address 30.30.30.201 (is that really your INTERNAL address?)

That should allow your internal clients to access the web-sites using the external name
0
 
LVL 58

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 21820920
>>But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.


2 solutions

1. If you have windows servers - create DNS zonez that mach the pblic servers URLS and create recordas that map them to the IP addresses in the DMZ

e.g

your web server is www.yoursite.co.uk - create a forward lookup zone called yoursite.co.uk on your DNS server then create an A(host) record inside it called www. Then when your internal clients go to www.yoursite.co.uk they get directed to the private IP on your DMZ


2. Use DNS doctoring

Cisco DNS Doctoring

Note this replaced the alias command, you need a to write a Static the WRONG
way round and put the "dns" on the end of the command.

Syntax

static (inside,outside) {Inside IP} {Outside IP} netmask 255.255.255.255 dns


Here is a working example with the equivalent OLD alias command.


Static (inside,outside) 10.254.254.10 123.123.123.123 netmask 255.255.255.255 dns

alias (inside) 10.254.254.10 123.123.123.123 255.255.255.255



NB if you try using the OLD alias command you might find the PDM will stop working
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 21820926
>>Kieran_Burns

sorry  - typing at the same time :)
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:Daniel2040
ID: 21821006
The DMZ interface is 30.30.30.***

We have over 100 domain names and growing so we do not really want to create a internal DNS server.

So it looks like i will need to do the DNS doctoring.

the 2 web servers DMZ addresses are 30.30.30.201 and 30.30.30.202
and their external WAN addresses are ***.***.***.81 and ***.***.***.82

so will the command be?

Static (inside,outside) 30.30.30.201 ***.***.***.81 netmask 255.255.255.255 dns
Static (inside,outside) 30.30.30.202 ***.***.***.82 netmask 255.255.255.255 dns

the existing rules are:

static (DMZ,outside) ***.***.***.81 30.30.30.201 netmask 255.255.255.255
static (DMZ,outside) ***.***.***.82 30.30.30.202 netmask 255.255.255.255


Kind Regards,

Daniel.
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 21821327
Thats the one :)
0
 

Author Comment

by:Daniel2040
ID: 21841058
Thanks,

Worked a treat.



Daniel.
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 21844715
Glad to help - thanQ
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 22 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question