I currently have my Cisco ASA 5505 firewall configured to forward port 80 from the outside interface to a host on my dmz interface. I also need to allow clients on my inside interface to access the host in the dmz by entering the public ip / dns record in their browsers. I was able to do that by following the instructions here, resulting in the following configuration:
static (dmz,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255
static (dmz,inside) tcp 74.125.45.100 www 192.168.1.5 www netmask 255.255.255.255
(Where 74.125.45.100 is my public IP and 192.168.1.5 is the IP of the dmz host)
This works great except for the fact that my network has a dynamic public IP and this configuration will therefore break as soon as my public IP changes. Is there a way to do what I want with a dynamic ip?
Note: Adding an internal DNS record won't solve my problem since I have multiple dmz hosts mapped to different ports on the public IP.
Best Answer
I wondering why the clients behind the inside interface have to enter the Public IP, wouldn't it be easier for them to use the private IP of the DMZ host. Then you could make a normal nat eg.
static (dmz,inside) tcp (Inside IP Range) www 192.168.1.5 www netmask 255.255.255.255
As far as I get it the problem in your case is, that when a client makes a DNS request, the DNS server from the internet gives him the current outside IP Address of the ASA back. After that the Client tryes to Connect to that IP, so a packet is sent to the Outside interface and has to return to the DMZ interface.
Cisco Firewalls have one problem, per default they never give a package out of the same interface they get it in. Cisco solved that since 7.2 release with the follow cli command:
ASA(config)# same-security-traffic permit intra-interface
so as far as I understand you bypassed exectaly that behavior by adding the second static NAT. In my opinion if you remove the second NAT entry and active the same-security-traffic option, it should work.
But I would strongly suggest that you buy a public IP :-)