Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 528
  • Last Modified:

Access DMZ by using public IPs

Is there a way to configure a Cisco ASA so that internally I can use the same external IPs to access a DMZ site.  Right now I need to keep clone domains for all of our hosted sites.  For example, if www.contoso.com points to 123.123.123.1 I add that number to the external DNS for contoso.com.  Internally, I have to keep another DNS domain for contoso.com that points www.contoso.com to 192.168.1.1

I am redoing my DNS and I don't want to keep these clone domains.  Is there a way to configure NAT, etc so that internally I can use the same 123.123.123.1 address?
0
phoenix-sys
Asked:
phoenix-sys
1 Solution
 
Ernie BeekCommented:
Dont'think that is going to work. The external ip's are 'connected' to the outside interface (i.e. the interface is in that network) so that route is automatically learned. What you are trying to do is to go to your external address, so go out the outside interface, make a u-turn and go back to the dmz. No go afaik.
0
 
andrel39Commented:
I don't know about the Cisco ASA but with SonicWall it is possible to do what you are asking using NAT and/or routing rules.
0
 
ullas_unniCommented:
try this:

static (dmz,inside) ip 123.123.123.1 192.168.1.1 netmask 255.255.255.255

and

nat (inside) 2 0.0.0.0 0.0.0.0
global (dmz) 2 interface
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
phoenix-sysAuthor Commented:
I have seen this with the Sonicwall is why I was asking.  I did try the static above, but not with the nat (inside) and global(dmz).  I will have to try that tomorrow morning before everyone gets in.  Too late for today.
0
 
ullas_unniCommented:
@ erniebee- in firewall, destination NAT decides your egress interface.

so the packet flow is:

ACL--> Destination NAT-->Route look up--> Source NAT

so in my solution above static is the destination NAT so it decides the egress interface ie the dmz and nat global statements are for source translation.
0
 
phoenix-sysAuthor Commented:
Looking at the answer I want to verify one thing.


123.123.123.x is a public IP
192.168.1.x is a DMZ private IP

10.1.1.x is my internal LAN

Did I maybe confuse this or does this still hold true?
0
 
ullas_unniCommented:
in my answer

123.123.123.1 is the public ip of the server.
192.168.1.1 is the private ip of your server.

the internal LAN users should be able to access the server on 123.123.123.1
0
 
phoenix-sysAuthor Commented:
OK, thanks.  I will try that in the morning.
0
 
ullas_unniCommented:
and a small correction... the static is:

static (dmz,inside) 123.123.123.1 192.168.1.1 netmask 255.255.255.255

there is no 'ip' keyword as in my earlier mentioned static..!!
0
 
phoenix-sysAuthor Commented:
OK, I picked one website that I figured no one would be using.  this did work.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now