10-24-2010 06:30 AM - edited 03-11-2019 11:59 AM
Hello,
Citrix server is in DMZ (off of ASA) and its pvt ip being translated to public IP for external user connectivity . Everything works from outside (ex: http/s:haccess.xyz.com, ping to haccess.xyz.com etc) . Now, the internal user residing behind ASA and Nat'd thru ASA to hit internet also wants to access the server from internal PC using the DNS name: http/s:haccess.xyz.com. The DNS converts the http/s:haccess.xyz.com to public IP (70.34.20.X) and sending to internet when request initiate from Internal user. Using Private Ip to access the DMZ server from internal subnets works.How can I make this to work from internal as well without posing any security risk.
TIA
MS
10-24-2010 08:51 AM
I am having the same issues, see the information in my post it may assist or maybe we will get an answer later..
10-24-2010 12:09 PM
you can use dns doctoring
static (inside,outside) 70.34.20.X y.y.y.y netmask 255.255.255.255 dns
full description
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
10-24-2010 01:51 PM
That works fine with prior to 8.3 or even further back but what would be required for 8.
3(1)???
10-24-2010 10:13 PM
Perry,
Take a look at the post, we answered your Question already, if you have any doubts please feel free to post them.
Cheers
Mike
11-23-2010 11:08 AM
Hi Denis,
Thank you for the reply. I went thru the DNS doctoring doc and 2 (simple) questions;-).
1. The example in the doc stating : In this case, the client at 192.168.100.2 wants to use the server.example.com URL to access the WWW server at 10.10.10.10. DNS services for the client are provided by the external DNS server at 172.22.1.161.
In my case the public DNS record for the server (ctrix.test.com) hosted by outside DNS, but the internal client DNS is our interal DNS (with pvt IP) and that DNS resolves to public IPs. In this case DNS doctoring works as well?
2. I do not see the DNS inspection enabled at this time (ASA 5510 -7.2(4)) or not seeing any command applied which disabled the DNS. what would be the effect in enabling the DNS inspection- with the same procedure listed in the doc. The config has setting the 'message-length max 512'. It may be default value, but just wanted to check the config does not cause any issues.
TIA
MS
11-23-2010 11:32 AM
Hello
On the static that you have for your server (DMZ, outside) instead of outside use Inside. The static statement would be the same. The example shown at the top of the service request was thought based on a DNS located on the outside world. In your case the DNS server is on the inside.
Please add the same static that you have for the outside but instead of outside put the word Inside.
Mike.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: