Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Access to web servers behind DMZ from LAN

Posted on 2008-06-19
Medium Priority
Last Modified: 2013-11-16

I have a Cisco 515 DMZ BUN.

I have 3 interfaces:

interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address ***.***.***.70
 ospf cost 10
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address

I have 2 web servers behind the DMZ with 2 static IPs mapped from the Outside interface.

I can access the web servers via their DMZ address from the LAN ie
But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.

Can anyone please help?

Kind Regards,

Question by:Daniel2040
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 10

Expert Comment

ID: 21820918
Daniel - is this so that Internal clients can use the External name of the Server / web-site to access  it?

If so you need to set internal DNS to remap the name of the Server to use the Internal address

If your Server is called you should have a DNS zone called on your DNS Servers

Add a A host entry called www and use the IP address (is that really your INTERNAL address?)

That should allow your internal clients to access the web-sites using the external name
LVL 57

Accepted Solution

Pete Long earned 2000 total points
ID: 21820920
>>But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.

2 solutions

1. If you have windows servers - create DNS zonez that mach the pblic servers URLS and create recordas that map them to the IP addresses in the DMZ


your web server is - create a forward lookup zone called on your DNS server then create an A(host) record inside it called www. Then when your internal clients go to they get directed to the private IP on your DMZ

2. Use DNS doctoring

Cisco DNS Doctoring

Note this replaced the alias command, you need a to write a Static the WRONG
way round and put the "dns" on the end of the command.


static (inside,outside) {Inside IP} {Outside IP} netmask dns

Here is a working example with the equivalent OLD alias command.

Static (inside,outside) netmask dns

alias (inside)

NB if you try using the OLD alias command you might find the PDM will stop working
LVL 57

Expert Comment

by:Pete Long
ID: 21820926

sorry  - typing at the same time :)
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 21821006
The DMZ interface is 30.30.30.***

We have over 100 domain names and growing so we do not really want to create a internal DNS server.

So it looks like i will need to do the DNS doctoring.

the 2 web servers DMZ addresses are and
and their external WAN addresses are ***.***.***.81 and ***.***.***.82

so will the command be?

Static (inside,outside) ***.***.***.81 netmask dns
Static (inside,outside) ***.***.***.82 netmask dns

the existing rules are:

static (DMZ,outside) ***.***.***.81 netmask
static (DMZ,outside) ***.***.***.82 netmask

Kind Regards,

LVL 57

Expert Comment

by:Pete Long
ID: 21821327
Thats the one :)

Author Comment

ID: 21841058

Worked a treat.

LVL 57

Expert Comment

by:Pete Long
ID: 21844715
Glad to help - thanQ

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question