I have this situation :
A web server on our DMZ is exposed for external access from ANYWHERE like this:
static (DMZ,outside) 188.8.131.52 192.168.2.4 netmask 255.255.255.255 0 0
access-list DCT permit tcp any host 184.108.40.206 eq www
There is an "A" record (webserver.yyy) on a public DNS for this public IP
This works fine for external users. http://webserver.yyy
Now I have been asked to allowed our LAN user to access the same link and I CANNOT CREATE AN INTERNAL DNS RECORD TO TAKE CARE OF THIS, which means when our internal users access that link, the request goes out of OUTSIDE interface with a NAT overloaded address(220.127.116.11) that is in the same subnet as the URL is trying to resolve. Once it knows the IP address thru DNS resolution tries to comes back in thru the same Interface(OUTSIDE) to hit the web server in the DMZ and is not able to.
1- Where does the request from an internal user to hit url http://webserver.yyy is dropped?
2- what can be done to allow this type of connectivity in the PIX 515e device?
Solved! Go to Solution.
If you are using the external DNS server then this will work;
static (inside,outside) 18.104.22.168 192.168.2.4 dns netmask 255.255.255.255 0 0
Users behind the internal interface will not be able to connect to the public IP. Unless you use the "dns doctoring" as I demonstrated above. Only problem with that is that you MUST be using an external DNS server, not an internal DNS server because the PIX actually changes the dns response to give the client the natted IP address.
Again, this works only if you are using a external DNS server.
I got it to work this way:
static (DMZ,inside) 22.214.171.124 192.168.2.4 netmask 255.255.255.255 0 0
I guess that's what you meant instead of (DMZ, DMZ) which produced this error:
"DMZ 2 has same security level as DMZ 2"
It is working, thanks for the pointer.
I assume it works now, because when the reply from external DNS comes back thru looking for
"126.96.36.199" and when it passes the inside interface, comes translated as "192.168.2.4" and the hosts in the LAN know how to find it thru routing...