Solved

Access DMZ by using public IPs

Posted on 2010-09-08
10
521 Views
Last Modified: 2012-05-10
Is there a way to configure a Cisco ASA so that internally I can use the same external IPs to access a DMZ site.  Right now I need to keep clone domains for all of our hosted sites.  For example, if www.contoso.com points to 123.123.123.1 I add that number to the external DNS for contoso.com.  Internally, I have to keep another DNS domain for contoso.com that points www.contoso.com to 192.168.1.1

I am redoing my DNS and I don't want to keep these clone domains.  Is there a way to configure NAT, etc so that internally I can use the same 123.123.123.1 address?
0
Comment
Question by:phoenix-sys
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 33626247
Dont'think that is going to work. The external ip's are 'connected' to the outside interface (i.e. the interface is in that network) so that route is automatically learned. What you are trying to do is to go to your external address, so go out the outside interface, make a u-turn and go back to the dmz. No go afaik.
0
 
LVL 2

Expert Comment

by:andrel39
ID: 33626254
I don't know about the Cisco ASA but with SonicWall it is possible to do what you are asking using NAT and/or routing rules.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33626266
try this:

static (dmz,inside) ip 123.123.123.1 192.168.1.1 netmask 255.255.255.255

and

nat (inside) 2 0.0.0.0 0.0.0.0
global (dmz) 2 interface
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:phoenix-sys
ID: 33626340
I have seen this with the Sonicwall is why I was asking.  I did try the static above, but not with the nat (inside) and global(dmz).  I will have to try that tomorrow morning before everyone gets in.  Too late for today.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33626385
@ erniebee- in firewall, destination NAT decides your egress interface.

so the packet flow is:

ACL--> Destination NAT-->Route look up--> Source NAT

so in my solution above static is the destination NAT so it decides the egress interface ie the dmz and nat global statements are for source translation.
0
 

Author Comment

by:phoenix-sys
ID: 33626446
Looking at the answer I want to verify one thing.


123.123.123.x is a public IP
192.168.1.x is a DMZ private IP

10.1.1.x is my internal LAN

Did I maybe confuse this or does this still hold true?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33626491
in my answer

123.123.123.1 is the public ip of the server.
192.168.1.1 is the private ip of your server.

the internal LAN users should be able to access the server on 123.123.123.1
0
 

Author Comment

by:phoenix-sys
ID: 33626498
OK, thanks.  I will try that in the morning.
0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 33626532
and a small correction... the static is:

static (dmz,inside) 123.123.123.1 192.168.1.1 netmask 255.255.255.255

there is no 'ip' keyword as in my earlier mentioned static..!!
0
 

Author Comment

by:phoenix-sys
ID: 33626717
OK, I picked one website that I figured no one would be using.  this did work.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month2 days, 18 hours left to enroll

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question