I followed cisco's DMZ configuration documentation to allow "inside" computer to get to the webserver in a "DMZ". I discovered that when I do this the address gets translated before it hits the webserver (in DMZ). Thus from the webserver you can't tell which "inside" computer it's coming from. The inside computer grabs and IP from a Public IP pool then sends a request to the webserver in the DMZ. Is there any way around this? I'd like to see that the address it's coming is from the "inside".
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ASA 5500 series (inside to DMZ) 1
- Thread starter dannyyo
- Start date
-
1
- #2
Supergrrover
IS-IT--Management
You can try something like
static (inside,dmz) 172.16.1.0 10.1.1.0 netmask 255.255.255.0
This will translate the inside to the dmz (the network portion will change but the host part will stay the same - inside 10.1.1.35 will come over to the dmz as 172.16.1.35) Just make sure the host portion of the dmz servers isn't used on the inside network.
Or use a syslog server and have it log translations (this is what I use.)
You can also try a nat exemption ACL.
Hope this helps or gets you moving ion the right direction.
Brent
Systems Engineer / Consultant
CCNP, CCSP
static (inside,dmz) 172.16.1.0 10.1.1.0 netmask 255.255.255.0
This will translate the inside to the dmz (the network portion will change but the host part will stay the same - inside 10.1.1.35 will come over to the dmz as 172.16.1.35) Just make sure the host portion of the dmz servers isn't used on the inside network.
Or use a syslog server and have it log translations (this is what I use.)
You can also try a nat exemption ACL.
Hope this helps or gets you moving ion the right direction.
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Thread starter
- #3
I'll give it a try when I'm back to work on Monday. I also have an issue of not being able to access the DMZ webserver using the public IP. I can get to it using the private IP, but not the public IP. However from the outside I can use the public IP to get to it. Any suggestions?
Supergrrover
IS-IT--Management
If it's from the inside you need to use the IP that's mapped to that interface. You can't use the outside IP. If you are trying it through DNS then you can use DNS doctoring. -
Brent
Systems Engineer / Consultant
CCNP, CCSP
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Status
Similar threads
- Locked
- Question