Access DMZ by using public IPs

Is there a way to configure a Cisco ASA so that internally I can use the same external IPs to access a DMZ site.  Right now I need to keep clone domains for all of our hosted sites.  For example, if points to I add that number to the external DNS for  Internally, I have to keep another DNS domain for that points to

I am redoing my DNS and I don't want to keep these clone domains.  Is there a way to configure NAT, etc so that internally I can use the same address?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

ullas_unniConnect With a Mentor Commented:
and a small correction... the static is:

static (dmz,inside) netmask

there is no 'ip' keyword as in my earlier mentioned static..!!
Ernie BeekExpertCommented:
Dont'think that is going to work. The external ip's are 'connected' to the outside interface (i.e. the interface is in that network) so that route is automatically learned. What you are trying to do is to go to your external address, so go out the outside interface, make a u-turn and go back to the dmz. No go afaik.
I don't know about the Cisco ASA but with SonicWall it is possible to do what you are asking using NAT and/or routing rules.
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

try this:

static (dmz,inside) ip netmask


nat (inside) 2
global (dmz) 2 interface
phoenix-sysAuthor Commented:
I have seen this with the Sonicwall is why I was asking.  I did try the static above, but not with the nat (inside) and global(dmz).  I will have to try that tomorrow morning before everyone gets in.  Too late for today.
@ erniebee- in firewall, destination NAT decides your egress interface.

so the packet flow is:

ACL--> Destination NAT-->Route look up--> Source NAT

so in my solution above static is the destination NAT so it decides the egress interface ie the dmz and nat global statements are for source translation.
phoenix-sysAuthor Commented:
Looking at the answer I want to verify one thing.

123.123.123.x is a public IP
192.168.1.x is a DMZ private IP

10.1.1.x is my internal LAN

Did I maybe confuse this or does this still hold true?
in my answer is the public ip of the server. is the private ip of your server.

the internal LAN users should be able to access the server on
phoenix-sysAuthor Commented:
OK, thanks.  I will try that in the morning.
phoenix-sysAuthor Commented:
OK, I picked one website that I figured no one would be using.  this did work.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.