https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857736#M973459 <HTML><HEAD></HEAD><BODY><P>You actually have 2 options. You can do dns doctoring or destination nat. </P><P></P><P>Destination Nat</P><P><A class="jive-link-custom" href="http://www.something.com" target="_blank">www.something.com</A> = 1.1.1.1</P><P>private dmz address = 10.1.1.1</P><P>static (dmz,inside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255</P><P></P><P>DNS Doctoring</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml</A></P></BODY></HTML> Thu, 18 Oct 2007 12:34:36 GMT acomiskey 2007-10-18T12:34:36Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857734#M973455 <P>Hi,</P><P></P><P>I know there are tons of threads like this, but all of them concerns going from inside to inside.</P><P></P><P>Now, our problem is that we want to be able visit <A class="jive-link-custom" href="http://www.something.com" target="_blank">www.something.com</A> from computers on the inside interface. <A class="jive-link-custom" href="http://www.something.com" target="_blank">www.something.com</A> translates to a public ip on the ASA which translates to a dmz ip address.</P><P></P><P>I know that the only way out of this is by using a static NAT command, I just can't figure out the syntax, or where to place it.</P><P></P><P>Hopefully someone out there can help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Thanks in advance,</P><P>Rasmus</P> Mon, 11 Mar 2019 11:27:14 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857734#M973455 blueoceanventure 2019-03-11T11:27:14Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857735#M973457 <HTML><HEAD></HEAD><BODY><P>This should help. It worked for me with servers in the DMZ.</P><P></P><P><A class="jive-link-custom" href="http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html" target="_blank">http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html</A></P><P></P><P>HTH and please rate.</P></BODY></HTML> Thu, 18 Oct 2007 12:29:41 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857735#M973457 Collin Clark 2007-10-18T12:29:41Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857736#M973459 <HTML><HEAD></HEAD><BODY><P>You actually have 2 options. You can do dns doctoring or destination nat. </P><P></P><P>Destination Nat</P><P><A class="jive-link-custom" href="http://www.something.com" target="_blank">www.something.com</A> = 1.1.1.1</P><P>private dmz address = 10.1.1.1</P><P>static (dmz,inside) 1.1.1.1 10.1.1.1 netmask 255.255.255.255</P><P></P><P>DNS Doctoring</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml</A></P></BODY></HTML> Thu, 18 Oct 2007 12:34:36 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857736#M973459 acomiskey 2007-10-18T12:34:36Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857737#M973460 <HTML><HEAD></HEAD><BODY><P>I can't do DNS doctoring, 'cause we have internal DNS servers.</P><P></P><P>I'l go for destination NAT. Thanks a bunch!</P><P></P><P>BR,</P><P>Rasmus</P></BODY></HTML> Thu, 18 Oct 2007 13:13:52 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857737#M973460 blueoceanventure 2007-10-18T13:13:52Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857738#M973461 <HTML><HEAD></HEAD><BODY><P>Now, I've setup destination NAT like your example. The funny thing is that it only works for some of our dmz sites.</P><P></P><P>Should I add the "DNS rewite" features on these destination NAT rules?</P><P></P><P>Does it matter which dns servers the dmz servers uses?</P><P></P><P>Thanks in advance,</P><P>Rasmus</P></BODY></HTML> Wed, 24 Oct 2007 08:30:36 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857738#M973461 blueoceanventure 2007-10-24T08:30:36Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857739#M973463 <HTML><HEAD></HEAD><BODY><P>It should work for any server in the dmz. Do you want to post a clean config? Also, which destination nat statements are not working?</P></BODY></HTML> Wed, 24 Oct 2007 12:31:23 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857739#M973463 acomiskey 2007-10-24T12:31:23Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857740#M973465 <HTML><HEAD></HEAD><BODY><P>THe firewall has not been put live yet. I've only connected it a couple of nights, to check status on variuos issues. This makes it difficult to test new configurations quickly.</P><P></P><P>Anyway, I discovered that the web servers that had this problem, all used external DNS servers. I've corrected this, so that they use the internal dns servers (like the rest of the web servers that actually work).</P><P></P><P>Now, I haven't had time to test this yet, but would it make sense, that this might be the issue?</P><P></P><P>BR,</P><P>Rasmus</P></BODY></HTML> Thu, 25 Oct 2007 07:54:02 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857740#M973465 blueoceanventure 2007-10-25T07:54:02Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857741#M973467 <HTML><HEAD></HEAD><BODY><P>Not really. Just to recap, you are using destination nat to use the public ip addresses of the webservers from the inside right? If this is the case, the dns servers defined on the webservers should having nothing to do with it. </P></BODY></HTML> Thu, 25 Oct 2007 12:24:52 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857741#M973467 acomiskey 2007-10-25T12:24:52Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857742#M973468 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I think I've solved it. The servers had multiple IP addresses, and Anti-Spoofing was enabled on the DMZ interface. I'll test this later.</P><P></P><P>In the meantime, I've discovered that now that I've made this destination-NAT-thing, I cannot connect with RemoteDesktop (or any other protocol) to the private dmz addresses. How do I do that?</P><P></P><P>I need to be able to browse the public dmz websites, but at the same time be able to rdp to the private address. Is this even possible? If so, how?</P><P>If not, what do everybody else do? I can't be the only one with this need...</P><P></P><P>Thanks,</P><P>Rasmus</P></BODY></HTML> Tue, 30 Oct 2007 14:42:09 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857742#M973468 blueoceanventure 2007-10-30T14:42:09Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857743#M973470 <HTML><HEAD></HEAD><BODY><P>You can still do destination NAT, just for a specific port.</P><P></P><P>Stealing Adams example <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>www.something.com = 1.1.1.1</P><P>private dmz address = 10.1.1.1</P><P>static (dmz,inside) tcp 1.1.1.1 80 10.1.1.1 80 netmask 255.255.255.255 </P><P></P><P>With that port you can browse to 1.1.1.1:80 and RDP to 10.1.1.1.</P><P></P><P></P></BODY></HTML> Tue, 30 Oct 2007 14:47:19 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857743#M973470 Collin Clark 2007-10-30T14:47:19Z https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857744#M973471 <HTML><HEAD></HEAD><BODY><P>You are my hero <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Thanks a bunch!</P><P></P><P>Rasmus</P></BODY></HTML> Tue, 30 Oct 2007 15:04:49 GMT https://community.cisco.com/t5/network-security/visiting-website-on-dmz-from-inside-using-public-dns/m-p/857744#M973471 blueoceanventure 2007-10-30T15:04:49Z