can't reach internal secure site that is on our DMZ

cisco_kid2008cisco_kid2008 Member Posts: 14 ■□□□□□□□□□
Ok not sure if this can be done. We have a server that is on the web for hotel reservations. It has dual nics. One nic on our internal network and one nic connected to our DMZ. The site is a secure site. When we try to get to the site https://secure.website.com we get page cannot be displayed. I would assume this is because someone clicks on the link and it goes to that external ip then back in through our asa so essentially it is going out and back in and the ASA does not like that. In our main router there is no route to the DMZ. I can setup a DNS entry that sets external requests to that ip address to go to the internal address but i can't get it to work with the secure link. WE can get to the non secure link but not secure. Is there any way i can accomplish this with a dns entry or possibly though the ASA

Comments

  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Try DNS Doctoring on the ASA
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

    Not sure how it will affect acceptance of the HTTPS certificate though but worth a try, I *think* it'll be okay since your clients will see the Server as it's pub fqdn but be redirected transparently by the ASA to the private ip.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • cisco_kid2008cisco_kid2008 Member Posts: 14 ■□□□□□□□□□
    We currently use our internal DNS servers first and then go out to external dns servers for external sites. Will dns doctoring work for this. From what i have been reading the dns servers have to be external
  • cisco_kid2008cisco_kid2008 Member Posts: 14 ■□□□□□□□□□
    I tried this today and am getting this error. %ASA-3-305006: portmap translation creation failed for tcp sr. In cisco's documentation they state to map a static nat for inside users to the DMZ is this correct.
  • NetstudentNetstudent Member Posts: 1,694
    For internal hosts to access your DMZ, try adding a static NAT that keeps the internal address as is. For example, if your hosts are coming from 192.168.1.0/24 then create a inside to DMZ static nat that translates 192.168.1.0/24 to 192.168.1.0/24. If the dns lookup is returning an external address to internal hosts, then as Ahriakin stated, you may need to enable the DNS rewrite option so that the A-record can get rewritten if the lookup passes through the ASA. But i think a static NAT will get you successful results.

    static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

    So yes the Cisco documentation is correct.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
Sign In or Register to comment.