Accessing websites in DMZ from inside 1

[themikehyde]

Hello,
The webservers in my DMZ are acessible from the outside by their registered domain names or their ip address. However, from inside, I can only access them via their private IP Addresses. These systems should be accessible from inside by their domain names, right?

Thanks,
Mike

 

[haknwak]

You should have two DNS servers - one for public addies, one for private addies. That'll allow what you need.

Otherwise, if in an MS environment you could go the lmhosts route but it's a real pain.

Also you could use WINS if not using ADS. "If you lived here, you'd be home by now!"

George Carlin

 

[sfrank8734]

It appears you have an issue in how your clients resolve DNS. Do they point at a DNS server inside or outside of your network? I assume an "nslookup [some dmz server]" doesn't work, but all other internet sites do?

Following up to what haknwak said, is your environment Microsoft clients, NT, 2000, etc?

 

[themikehyde]

Thanks,
Currently all the clients are pointing to a DNS Server outside, although I do have A DNS server running inside.
The testing network that I am using is currently all MS Win2K systems.

Here is an updated config.

PIX515E# sh configure
: Saved
: Written by enable_15 at 14:45:07.905 UTC Thu Feb 27 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 dmz1 security10
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxx encrypted
hostname PIX515E
domain-name maxuse.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit icmp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 63.105.159.230 eq www
access-list acl_out permit tcp any host 63.105.159.210 eq www
access-list acl_dmz1 permit icmp any any
access-list acl_dmz1 permit tcp host 63.105.159.230 any eq www
access-list acl_dmz1 permit tcp host 63.105.159.210 any eq www
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu dmz1 1500
ip address outside 63.105.159.250 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address dmz1 192.169.1.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address dmz1 0.0.0.0
pdm location 192.169.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.50 255.255.255.255 inside
pdm location 192.168.1.51 255.255.255.255 inside
pdm location 192.169.1.4 255.255.255.255 dmz1
pdm location 192.169.1.5 255.255.255.255 dmz1
pdm location 63.105.159.210 255.255.255.255 dmz1
pdm location 63.105.159.230 255.255.255.255 dmz1
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz1,outside) 63.105.159.230 192.169.1.4 netmask 255.255.255.255 0 0
static (dmz1,outside) 63.105.159.210 192.169.1.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 63.105.159.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 168.192.1.20 ciscorocks timeout 5
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.51 255.255.255.255 inside
http 192.168.1.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.50-192.168.1.254 inside
dhcpd dns 198.6.1.1 198.6.1.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

[yizhar]

HI.

> Currently all the clients are pointing to a DNS Server outside, although I do have A DNS server running inside.
The testing network that I am using is currently all MS Win2K systems.

So you should point all internal workstations to the internal DNS server (this is anyway required for W2K proper operation in the network) and add a "

http://www"

HOST (A) record in the internal DNS server that will map your web site fqdn to the internal IP address.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar