https://community.cisco.com/t5/network-security/host-on-dmz-with-public-ip-advice-please/m-p/628940#M1031769 <HTML><HEAD></HEAD><BODY><P>With the static you have in place, your routing the IP, not translating it. Since the server has an IP of 172.25.1.1, you'll need a different translation.</P><P></P><P>static (dmz1,outside) 82.7.58.234 172.25.1.1 netmask 255.255.255.255 </P><P></P><P>HTH and please rate.</P></BODY></HTML> Mon, 15 Jan 2007 22:20:38 GMT Collin Clark 2007-01-15T22:20:38Z https://community.cisco.com/t5/network-security/host-on-dmz-with-public-ip-advice-please/m-p/628939#M1031768 <P></P><P>I would be grateful if anyone can enlighten me with regards to placing a server with a public IP within a DMZ on a PIX.</P><P></P><P>I am relatively familar with static translations, those mapping public IPs to internal hosts but I have never had a host within a DMZ with a public IP.</P><P></P><P>I used the command;</P><P></P><P>static (dmz1,outside) 82.7.58.234 82.7.56.234 netmask 255.255.255.255</P><P></P><P>combined with an ACL on the outside interface to allow connections in.</P><P></P><P>However after doing this the server does not seem reachable. The DMZ interface IP is 172.25.1.1 and I am scratching my head as to whether it is routing.</P><P></P><P>I was expecting the PIX to have the intelligence to know that the server was on the DMZ due to the static statement and just map straight to it - maybe I am wrong??</P><P></P><P>Is there anything else I need to add ? Do I need to 'nat (dmz1) 0 82.7.58.234' ?</P><P></P> Mon, 11 Mar 2019 09:19:40 GMT https://community.cisco.com/t5/network-security/host-on-dmz-with-public-ip-advice-please/m-p/628939#M1031768 Purist1972 2019-03-11T09:19:40Z https://community.cisco.com/t5/network-security/host-on-dmz-with-public-ip-advice-please/m-p/628940#M1031769 <HTML><HEAD></HEAD><BODY><P>With the static you have in place, your routing the IP, not translating it. Since the server has an IP of 172.25.1.1, you'll need a different translation.</P><P></P><P>static (dmz1,outside) 82.7.58.234 172.25.1.1 netmask 255.255.255.255 </P><P></P><P>HTH and please rate.</P></BODY></HTML> Mon, 15 Jan 2007 22:20:38 GMT https://community.cisco.com/t5/network-security/host-on-dmz-with-public-ip-advice-please/m-p/628940#M1031769 Collin Clark 2007-01-15T22:20:38Z https://community.cisco.com/t5/network-security/host-on-dmz-with-public-ip-advice-please/m-p/628941#M1031770 <HTML><HEAD></HEAD><BODY><P>So I am unclear here. Are you trying to static a public address to another public address? </P><P></P><P>In my experience, I would put the host on the DMZ network (say 172.25.1.100) and then static to that (ie. static (dmz1,outside) 82.7.58.234 172.25.1.100 netmask 255.255.255.255 ) then you could do nat (dmz1) 1 0.0.0.0 0.0.0.0 </P><P></P><P>Hope this helps,</P><P>Brandon</P></BODY></HTML> Mon, 15 Jan 2007 22:26:51 GMT https://community.cisco.com/t5/network-security/host-on-dmz-with-public-ip-advice-please/m-p/628941#M1031770 gecko2207 2007-01-15T22:26:51Z https://community.cisco.com/t5/network-security/host-on-dmz-with-public-ip-advice-please/m-p/628942#M1031771 <HTML><HEAD></HEAD><BODY><P>Donald,</P><P></P><P>You need to do something like Brandon suggested above. Firewall aside, you can't have a device on a subnet that's different from the gateway's (fw) subnet as they can't talk to each other. Hence, your server can't be on a public NET while the DMZ subnet, the server physically resides on, is on a private NET as it would break IP communication between the firewall and the server.</P><P></P><P></P><P>HTH</P><P></P><P>Sundar</P></BODY></HTML> Mon, 15 Jan 2007 22:49:44 GMT https://community.cisco.com/t5/network-security/host-on-dmz-with-public-ip-advice-please/m-p/628942#M1031771 sundar.palaniappan 2007-01-15T22:49:44Z