Access to web servers behind DMZ from LAN

Posted on 2008-06-19
Last Modified: 2013-11-16

I have a Cisco 515 DMZ BUN.

I have 3 interfaces:

interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address ***.***.***.70
 ospf cost 10
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address

I have 2 web servers behind the DMZ with 2 static IPs mapped from the Outside interface.

I can access the web servers via their DMZ address from the LAN ie
But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.

Can anyone please help?

Kind Regards,

Question by:Daniel2040
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 10

Expert Comment

ID: 21820918
Daniel - is this so that Internal clients can use the External name of the Server / web-site to access  it?

If so you need to set internal DNS to remap the name of the Server to use the Internal address

If your Server is called you should have a DNS zone called on your DNS Servers

Add a A host entry called www and use the IP address (is that really your INTERNAL address?)

That should allow your internal clients to access the web-sites using the external name
LVL 57

Accepted Solution

Pete Long earned 500 total points
ID: 21820920
>>But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.

2 solutions

1. If you have windows servers - create DNS zonez that mach the pblic servers URLS and create recordas that map them to the IP addresses in the DMZ


your web server is - create a forward lookup zone called on your DNS server then create an A(host) record inside it called www. Then when your internal clients go to they get directed to the private IP on your DMZ

2. Use DNS doctoring

Cisco DNS Doctoring

Note this replaced the alias command, you need a to write a Static the WRONG
way round and put the "dns" on the end of the command.


static (inside,outside) {Inside IP} {Outside IP} netmask dns

Here is a working example with the equivalent OLD alias command.

Static (inside,outside) netmask dns

alias (inside)

NB if you try using the OLD alias command you might find the PDM will stop working
LVL 57

Expert Comment

by:Pete Long
ID: 21820926

sorry  - typing at the same time :)
Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!


Author Comment

ID: 21821006
The DMZ interface is 30.30.30.***

We have over 100 domain names and growing so we do not really want to create a internal DNS server.

So it looks like i will need to do the DNS doctoring.

the 2 web servers DMZ addresses are and
and their external WAN addresses are ***.***.***.81 and ***.***.***.82

so will the command be?

Static (inside,outside) ***.***.***.81 netmask dns
Static (inside,outside) ***.***.***.82 netmask dns

the existing rules are:

static (DMZ,outside) ***.***.***.81 netmask
static (DMZ,outside) ***.***.***.82 netmask

Kind Regards,

LVL 57

Expert Comment

by:Pete Long
ID: 21821327
Thats the one :)

Author Comment

ID: 21841058

Worked a treat.

LVL 57

Expert Comment

by:Pete Long
ID: 21844715
Glad to help - thanQ

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
rDNS on single IP and multiple domains 11 77
(Same as parent Folder) Host (A) IP: x.x.x.x 7 63
Decommissioning DNS server question 3 64
SPF record for Exchange Cloud 9 41
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Resolve DNS query failed errors for Exchange
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question