Showing results for 
Search instead for 
Did you mean: 

Garrison Botts

Strange issue with FWSM

I have a customer that is using FWSMs.  There are 4 interfaces  (inside 100 , outside 0 , dmz 50 , wireless 4 ).


So to give an example:


1) I connect to the wireless and get an address of 192.168.1.x.  My DNS server is on the dmz and I can resolve addresses and surf the internet.

2) I want to get to a server owned by the customer so I type

3) The DNS gives the external address and the attempt is made.

4)  I time out....


If I connect via an external source (like an iPhone using ATT network)  I connect with no problem... I get the same external address.


Thoughts to look at?  I've double checked everything and so far cannot find a good answer...

Dru Goradia

Can we see the access-lists?

Sounds like DNS doctoring is what you're looking for:

Marius Gunnerud
VIP Advisor

I am assuming that is the webserver IP?

And if you do an nslookup for you get that same public IP?

If that is the case, then that is the problem.  You would need to do either DNS doctoring or add another NAT statement.

DNS doctoring is done by just adding the keyword DNS to the end of the relevant NAT statement:

static (web_dmz,OUTSIDE) 20X.XXX.XX.76 172.16.XXX.76 netmask dns

the other option would be to translate the public IP which is ingress on the inside interface to the private IP which is egress on the DMZ interface.  Something like the following:

static (inside,web_dmz) 172.16.XXX.76 20X.XXX.XX.76 netmask

I suggest trying the dns doctoring option first and then try the second option if it doesn't work.


Please remember to select a correct answer and rate helpful posts

Please remember to select a correct answer and rate helpful posts
Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (39%)

Content for Community-Ad