can't reach internal secure site that is on our DMZ

cisco_kid2008

Ok not sure if this can be done. We have a server that is on the web for hotel reservations. It has dual nics. One nic on our internal network and one nic connected to our DMZ. The site is a secure site. When we try to get to the site https://secure.website.com we get page cannot be displayed. I would assume this is because someone clicks on the link and it goes to that external ip then back in through our asa so essentially it is going out and back in and the ASA does not like that. In our main router there is no route to the DMZ. I can setup a DNS entry that sets external requests to that ip address to go to the internal address but i can't get it to work with the secure link. WE can get to the non secure link but not secure. Is there any way i can accomplish this with a dns entry or possibly though the ASA

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Ahriakin

Try DNS Doctoring on the ASA
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Not sure how it will affect acceptance of the HTTPS certificate though but worth a try, I *think* it'll be okay since your clients will see the Server as it's pub fqdn but be redirected transparently by the ASA to the private ip.

cisco_kid2008

We currently use our internal DNS servers first and then go out to external dns servers for external sites. Will dns doctoring work for this. From what i have been reading the dns servers have to be external

cisco_kid2008

I tried this today and am getting this error. %ASA-3-305006: portmap translation creation failed for tcp sr. In cisco's documentation they state to map a static nat for inside users to the DMZ is this correct.

Netstudent

For internal hosts to access your DMZ, try adding a static NAT that keeps the internal address as is. For example, if your hosts are coming from 192.168.1.0/24 then create a inside to DMZ static nat that translates 192.168.1.0/24 to 192.168.1.0/24. If the dns lookup is returning an external address to internal hosts, then as Ahriakin stated, you may need to enable the DNS rewrite option so that the A-record can get rewritten if the lookup passes through the ASA. But i think a static NAT will get you successful results.

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

So yes the Cisco documentation is correct.