Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
0
Helpful
3
Replies

DNS hairpinning

james.bennett1
Level 1
Level 1

‎04-21-2016 01:08 AM - edited ‎03-08-2019 05:26 AM

I have 2 interfaces, a DMZ and an Internal.  In the DMZ I have a DNS server that is hosting a zone that points to a server in the Internal.  Teh DMZ allows no traffic back into the Internal interface.

When DMZ hosts try to resolve the domain it resolves to a public IP address that is hosted on the firewall as this is the only was to access the webpage.

The domain is publicly available and also from the Internal interface, just not from the DMZ.  I've read that DNS hairpinning can rewrite the internal IP address in its way back in but I dont think this will work as nothing can access the internal interface from the DMZ.

How can I get round this?

Any help appreciated

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-21-2016 01:37 AM

What about adding a second NAT from the DMZ to the inside interface, like you have from the outside interface to the inside interface?

0 Helpful

james.bennett1
Level 1
Level 1
In response to Philip D'Ath

‎04-21-2016 09:01 AM

Hi Philip,

Would this also require an ACL or would the NAT be sufficient.  I don't really want to open up the inside network from the DMZ if I can help it.

A better way would be to go out the outside interface then NAT back to the inside from the DMZ...

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to james.bennett1

‎04-21-2016 01:31 PM

If you have "sysopt permit-vpn" on (which it i by default), no ACL is needed.  If you have it turned off, so that VPN's required an explicit ACL to allow them, then it is needed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card