I currently have my Cisco ASA 5505 firewall configured to forward port 80 from the outside interface to a host on my dmz interface. I also need to allow clients on my inside interface to access the host in the dmz by entering the public ip / dns record in their browsers. I was able to do that by following the instructions here, resulting in the following configuration:
static (dmz,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255
static (dmz,inside) tcp 74.125.45.100 www 192.168.1.5 www netmask 255.255.255.255
(Where 74.125.45.100 is my public IP and 192.168.1.5 is the IP of the dmz host)
This works great except for the fact that my network has a dynamic public IP and this configuration will therefore break as soon as my public IP changes. Is there a way to do what I want with a dynamic ip?
Note: Adding an internal DNS record won't solve my problem since I have multiple dmz hosts mapped to different ports on the public IP.
I wondering why the clients behind the inside interface have to enter the Public IP, wouldn't it be easier for them to use the private IP of the DMZ host. Then you could make a normal nat eg.
static (dmz,inside) tcp (Inside IP Range) www 192.168.1.5 www netmask 255.255.255.255
As far as I get it the problem in your case is, that when a client makes a DNS request, the DNS server from the internet gives him the current outside IP Address of the ASA back. After that the Client tryes to Connect to that IP, so a packet is sent to the Outside interface and has to return to the DMZ interface.
Cisco Firewalls have one problem, per default they never give a package out of the same interface they get it in. Cisco solved that since 7.2 release with the follow cli command:
ASA(config)# same-security-traffic permit intra-interface
so as far as I understand you bypassed exectaly that behavior by adding the second static NAT. In my opinion if you remove the second NAT entry and active the same-security-traffic option, it should work.
But I would strongly suggest that you buy a public IP :-)
I think the only answer you're going to get is no.
There is no way an ACL or a NAT statement can account for a changing IP address, it just can't happen.
Actually, you could make it work with internal DNS changes.
Let's say for example you have several services:
Let's say you have
example.orgpointed using a dynamic DNS provider to your ever-changing public IP address.You can run an internal name server pointing
example.orgat, say, 192.168.1.254, and use the following:Then you point your clients at your internal name server and have at it.
The caveat is that for each new service you add, you'll have to set up a static for the inside network and a static for the outside interface, as well as allowing that in the ACLs from both inside and outside. However, when your public IP changes, your traffic will still go where you want it to go.