https://community.cisco.com/t5/network-security/accessing-a-node-on-the-dmz-from-an-inside-interface-on-the-same/m-p/2162109#M359168 <HTML><HEAD></HEAD><BODY><P>Do you want to access the DMZ3 server by using its public or private IP?</P><P></P><P>In case it's the first one, try to add the "<STRONG>dns</STRONG>" keywork at the end of the static translation for that server to the outside, it'll enable the DNS doctoring feature.</P><P></P><P>In case you want to access the server using its private IP from the internal clients, you can configure a self-translation rule.</P><P></P><P>Something like this:</P><P></P><P><STRONG>static(LAB,DMZ3)</STRONG> <SERVER> <SERVER></SERVER></SERVER></P></BODY></HTML> Mon, 01 Apr 2013 16:52:50 GMT jocamare 2013-04-01T16:52:50Z https://community.cisco.com/t5/network-security/accessing-a-node-on-the-dmz-from-an-inside-interface-on-the-same/m-p/2162108#M359167 <P>I have a PIX 515e running version 7.2(4).</P><P></P><P>I have 2 interfaces - DMZ3 (sec lvl 50) and LAB (sec lvl 100) behind the pix. There is also the OUTSIDE interface (sec lvl 0) which connects to the internet.</P><P>In DMZ3 I have a webserver - x.x.124.217/24 (host is NATed via static command to public IP)</P><P>In LAB I have a server - x.x.1.203/24 (entire range is NATed via NAT/Global statements to public IP)</P><P></P><P>The server in LAB needs to access a webserver in DMZ3. From the internet both of these hosts have public addresses that are NATed into the inside addresses. I can reach the webserver from the internet, but not from the LAB interface.</P><P></P><P>I think I have to add a static command so that the LAB host can access the DMZ3 host without accessing the internet.</P><P></P><P>Any assistance would be appriciated.</P> Tue, 12 Mar 2019 01:22:07 GMT https://community.cisco.com/t5/network-security/accessing-a-node-on-the-dmz-from-an-inside-interface-on-the-same/m-p/2162108#M359167 dgeorgeadis 2019-03-12T01:22:07Z https://community.cisco.com/t5/network-security/accessing-a-node-on-the-dmz-from-an-inside-interface-on-the-same/m-p/2162109#M359168 <HTML><HEAD></HEAD><BODY><P>Do you want to access the DMZ3 server by using its public or private IP?</P><P></P><P>In case it's the first one, try to add the "<STRONG>dns</STRONG>" keywork at the end of the static translation for that server to the outside, it'll enable the DNS doctoring feature.</P><P></P><P>In case you want to access the server using its private IP from the internal clients, you can configure a self-translation rule.</P><P></P><P>Something like this:</P><P></P><P><STRONG>static(LAB,DMZ3)</STRONG> <SERVER> <SERVER></SERVER></SERVER></P></BODY></HTML> Mon, 01 Apr 2013 16:52:50 GMT https://community.cisco.com/t5/network-security/accessing-a-node-on-the-dmz-from-an-inside-interface-on-the-same/m-p/2162109#M359168 jocamare 2013-04-01T16:52:50Z https://community.cisco.com/t5/network-security/accessing-a-node-on-the-dmz-from-an-inside-interface-on-the-same/m-p/2162110#M359169 <HTML><HEAD></HEAD><BODY><P>I tried this and so far no luck:</P><P></P><P>static (LAB,DMZ3) x.x.1.203 x.x.1.203 netmask 255.255.255.255 dns</P><P></P><P>I can see in the PIX log:</P><P></P><P>Apr 01 2013 14:10:07: %PIX-6-302013: Built outbound TCP connection 96258 for outside:x.x.196.217/443 (x.x.196.217/443) to LAB:x.x.1.203/49314 (x.x.196.222/1032)</P><P></P><P>Where <SPAN style="font-size: 10pt;">x.x.196.217 = the static NATed address of the web server and </SPAN><SPAN style="font-size: 10pt;">x.x.196.222 = the global NATed address of x.x.1.203</SPAN></P><P></P><P>IP addresses appear to get translated correctly and I can see the ACLs are incrementing when I attempt to connect but I don't think it is getting through the PIX.</P></BODY></HTML> Mon, 01 Apr 2013 19:17:57 GMT https://community.cisco.com/t5/network-security/accessing-a-node-on-the-dmz-from-an-inside-interface-on-the-same/m-p/2162110#M359169 dgeorgeadis 2013-04-01T19:17:57Z https://community.cisco.com/t5/network-security/accessing-a-node-on-the-dmz-from-an-inside-interface-on-the-same/m-p/2162111#M359170 <HTML><HEAD></HEAD><BODY><P>Apologies for the late reply.</P><P></P><P>Can you please be very specific on how you want to access the server and from where.</P><P>Once that is clarified, the answer will be easy to get. </P></BODY></HTML> Wed, 03 Apr 2013 00:04:56 GMT https://community.cisco.com/t5/network-security/accessing-a-node-on-the-dmz-from-an-inside-interface-on-the-same/m-p/2162111#M359170 jocamare 2013-04-03T00:04:56Z