Solved

Access to web servers behind DMZ from LAN

Posted on 2008-06-19
7
546 Views
Last Modified: 2013-11-16
Hi,

I have a Cisco 515 DMZ BUN.

I have 3 interfaces:

!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address ***.***.***.70 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.2.200 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 30.30.30.100 255.255.255.0
!

I have 2 web servers behind the DMZ with 2 static IPs mapped from the Outside interface.

I can access the web servers via their DMZ address from the LAN ie  30.30.30.201
But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.

Can anyone please help?



Kind Regards,

Daniel.
0
Comment
Question by:Daniel2040
  • 4
  • 2
7 Comments
 
LVL 10

Expert Comment

by:Kieran_Burns
ID: 21820918
Daniel - is this so that Internal clients can use the External name of the Server / web-site to access  it?

If so you need to set internal DNS to remap the name of the Server to use the Internal address

If your Server is called www.yourcompany.com you should have a DNS zone called yourcompany.com on your DNS Servers

Add a A host entry called www and use the IP address 30.30.30.201 (is that really your INTERNAL address?)

That should allow your internal clients to access the web-sites using the external name
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 21820920
>>But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.


2 solutions

1. If you have windows servers - create DNS zonez that mach the pblic servers URLS and create recordas that map them to the IP addresses in the DMZ

e.g

your web server is www.yoursite.co.uk - create a forward lookup zone called yoursite.co.uk on your DNS server then create an A(host) record inside it called www. Then when your internal clients go to www.yoursite.co.uk they get directed to the private IP on your DMZ


2. Use DNS doctoring

Cisco DNS Doctoring

Note this replaced the alias command, you need a to write a Static the WRONG
way round and put the "dns" on the end of the command.

Syntax

static (inside,outside) {Inside IP} {Outside IP} netmask 255.255.255.255 dns


Here is a working example with the equivalent OLD alias command.


Static (inside,outside) 10.254.254.10 123.123.123.123 netmask 255.255.255.255 dns

alias (inside) 10.254.254.10 123.123.123.123 255.255.255.255



NB if you try using the OLD alias command you might find the PDM will stop working
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21820926
>>Kieran_Burns

sorry  - typing at the same time :)
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:Daniel2040
ID: 21821006
The DMZ interface is 30.30.30.***

We have over 100 domain names and growing so we do not really want to create a internal DNS server.

So it looks like i will need to do the DNS doctoring.

the 2 web servers DMZ addresses are 30.30.30.201 and 30.30.30.202
and their external WAN addresses are ***.***.***.81 and ***.***.***.82

so will the command be?

Static (inside,outside) 30.30.30.201 ***.***.***.81 netmask 255.255.255.255 dns
Static (inside,outside) 30.30.30.202 ***.***.***.82 netmask 255.255.255.255 dns

the existing rules are:

static (DMZ,outside) ***.***.***.81 30.30.30.201 netmask 255.255.255.255
static (DMZ,outside) ***.***.***.82 30.30.30.202 netmask 255.255.255.255


Kind Regards,

Daniel.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21821327
Thats the one :)
0
 

Author Comment

by:Daniel2040
ID: 21841058
Thanks,

Worked a treat.



Daniel.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21844715
Glad to help - thanQ
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question