topic Re: DMZ server access from inside using (public) DNS name in Network Security

DMZ server access from inside using (public) DNS name

mvsheik123 — Mon, 11 Mar 2019 18:59:28 GMT

Hello,

Citrix server is in DMZ (off of ASA) and its pvt ip being translated to public IP for external user connectivity . Everything works from outside (ex: http/s:haccess.xyz.com, ping to haccess.xyz.com etc) . Now, the internal user residing behind ASA and Nat'd thru ASA to hit internet also wants to access the server from internal PC using the DNS name: http/s:haccess.xyz.com. The DNS converts the http/s:haccess.xyz.com to public IP (70.34.20.X) and sending to internet when request initiate from Internal user. Using Private Ip to access the DMZ server from internal subnets works.How can I make this to work from internal as well without posing any security risk.

TIA

Re: DMZ server access from inside using (public) DNS name

pskipton01 — Sun, 24 Oct 2010 15:51:50 GMT

I am having the same issues, see the information in my post it may assist or maybe we will get an answer later..

Re: DMZ server access from inside using (public) DNS name

Denis Spichkin — Sun, 24 Oct 2010 19:09:53 GMT

you can use dns doctoring

static (inside,outside) 70.34.20.X y.y.y.y netmask 255.255.255.255 dns

full description

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Re: DMZ server access from inside using (public) DNS name

pskipton01 — Sun, 24 Oct 2010 20:51:07 GMT

That works fine with prior to 8.3 or even further back but what would be required for 8.

3(1)???

Re: DMZ server access from inside using (public) DNS name

Maykol Rojas — Mon, 25 Oct 2010 05:13:31 GMT

Perry,

Take a look at the post, we answered your Question already, if you have any doubts please feel free to post them.

Cheers

Mike

Re: DMZ server access from inside using (public) DNS name

mvsheik123 — Tue, 23 Nov 2010 19:08:44 GMT

Hi Denis,

Thank you for the reply. I went thru the DNS doctoring doc and 2 (simple) questions;-).

1. The example in the doc stating : In this case, the client at 192.168.100.2 wants to use the server.example.com URL to access the WWW server at 10.10.10.10. DNS services for the client are provided by the external DNS server at 172.22.1.161.

In my case the public DNS record for the server (ctrix.test.com) hosted by outside DNS, but the internal client DNS is our interal DNS (with pvt IP) and that DNS resolves to public IPs. In this case DNS doctoring works as well?

2. I do not see the DNS inspection enabled at this time (ASA 5510 -7.2(4)) or not seeing any command applied which disabled the DNS. what would be the effect in enabling the DNS inspection- with the same procedure listed in the doc. The config has setting the 'message-length max 512'. It may be default value, but just wanted to check the config does not cause any issues.

TIA

Re: DMZ server access from inside using (public) DNS name

Maykol Rojas — Tue, 23 Nov 2010 19:32:11 GMT

Hello

On the static that you have for your server (DMZ, outside) instead of outside use Inside. The static statement would be the same. The example shown at the top of the service request was thought based on a DNS located on the outside world. In your case the DNS server is on the inside.

Please add the same static that you have for the outside but instead of outside put the word Inside.

Mike.