inside users can NOT access webserver on DMZ using fqdn/global address

ddiggelen · ‎10-09-2003

Users on inside fail to access the webserver on DMZ when using FQDN or global address(195.193.x.y).

They can access their own webserver by giving the dmz ip address (192.168.1.98), but not by giving the corresponding global address or the fqdn.

Obviously inside people want to access their own webpage by browsing to www.abcdxxxx.nl)

Should this work ? And if so, how ?

mostiguy · ‎10-09-2003

No, it shouldn't work.

Do you have an internal DNS server for your users? You could create an entry there for that domain, with the RFC 1918 ip addresses. You wouldn't want that DNS server to sereve up records for external users though

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1083304

The alias command might provide additional options, depending on your topology

patrick.cannon · ‎10-13-2003

If your internal users ping the website (www.website.com) does it return the internal or external IP address?

I have a similiar situation. I manage it with an internal dns server.

nkhawaja · ‎10-13-2003

Hi,

If you have DNS Server on the outside, you could use alias/destination NAT feature on PIX.

http://www.cisco.com/warp/public/110/alias.html

Thanks

Nadeem

ddiggelen · ‎10-15-2003

Hello Patrick,

Initially we didn't have an internal DNS server, but used ISPs one.

So users on inside got returned global public address. But website on DMZ was from inside (nor from DMZ) not reachable. In the meantime we have installed a local caching dns server. Now it does what it needs to do.

I am just a bit surprised. Couldn't find any document on CCO saying that internal users can only reach their own website using fqdn by also having dns installed. Thanks.