Solved

Access to web servers behind DMZ from LAN

Posted on 2008-06-19
7
543 Views
Last Modified: 2013-11-16
Hi,

I have a Cisco 515 DMZ BUN.

I have 3 interfaces:

!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address ***.***.***.70 255.255.255.224
 ospf cost 10
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.2.200 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 30.30.30.100 255.255.255.0
!

I have 2 web servers behind the DMZ with 2 static IPs mapped from the Outside interface.

I can access the web servers via their DMZ address from the LAN ie  30.30.30.201
But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.

Can anyone please help?



Kind Regards,

Daniel.
0
Comment
Question by:Daniel2040
  • 4
  • 2
7 Comments
 
LVL 10

Expert Comment

by:Kieran_Burns
Comment Utility
Daniel - is this so that Internal clients can use the External name of the Server / web-site to access  it?

If so you need to set internal DNS to remap the name of the Server to use the Internal address

If your Server is called www.yourcompany.com you should have a DNS zone called yourcompany.com on your DNS Servers

Add a A host entry called www and use the IP address 30.30.30.201 (is that really your INTERNAL address?)

That should allow your internal clients to access the web-sites using the external name
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
Comment Utility
>>But i need to be able to access the websites from the LAN via their external ip ie ***.***.***.81 which i cannot do or i need the PIX to translate DNS requests for the external address to the DMZ address.


2 solutions

1. If you have windows servers - create DNS zonez that mach the pblic servers URLS and create recordas that map them to the IP addresses in the DMZ

e.g

your web server is www.yoursite.co.uk - create a forward lookup zone called yoursite.co.uk on your DNS server then create an A(host) record inside it called www. Then when your internal clients go to www.yoursite.co.uk they get directed to the private IP on your DMZ


2. Use DNS doctoring

Cisco DNS Doctoring

Note this replaced the alias command, you need a to write a Static the WRONG
way round and put the "dns" on the end of the command.

Syntax

static (inside,outside) {Inside IP} {Outside IP} netmask 255.255.255.255 dns


Here is a working example with the equivalent OLD alias command.


Static (inside,outside) 10.254.254.10 123.123.123.123 netmask 255.255.255.255 dns

alias (inside) 10.254.254.10 123.123.123.123 255.255.255.255



NB if you try using the OLD alias command you might find the PDM will stop working
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
>>Kieran_Burns

sorry  - typing at the same time :)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Daniel2040
Comment Utility
The DMZ interface is 30.30.30.***

We have over 100 domain names and growing so we do not really want to create a internal DNS server.

So it looks like i will need to do the DNS doctoring.

the 2 web servers DMZ addresses are 30.30.30.201 and 30.30.30.202
and their external WAN addresses are ***.***.***.81 and ***.***.***.82

so will the command be?

Static (inside,outside) 30.30.30.201 ***.***.***.81 netmask 255.255.255.255 dns
Static (inside,outside) 30.30.30.202 ***.***.***.82 netmask 255.255.255.255 dns

the existing rules are:

static (DMZ,outside) ***.***.***.81 30.30.30.201 netmask 255.255.255.255
static (DMZ,outside) ***.***.***.82 30.30.30.202 netmask 255.255.255.255


Kind Regards,

Daniel.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Thats the one :)
0
 

Author Comment

by:Daniel2040
Comment Utility
Thanks,

Worked a treat.



Daniel.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Glad to help - thanQ
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now