https://community.cisco.com/t5/network-security/dmz-nat-question/m-p/1956953#M435775 <P>I have a setup like this (not real addresses--just testing here)</P><P></P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 12.200.200.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.100.1.1 255.255.255.0</P><P>!</P><P>interface Ethernet0/2</P><P> nameif dmz</P><P> security-level 50</P><P> ip address 12.2.200.1 255.255.255.0</P><P></P><P>Now internal clients access the dmz, and machines in the dmz access the internal clients. Therefore, we have access-lists like this:</P><P></P><P>access-list dmz extended permit tcp host 12.2.200.10 host 10.100.1.9 eq 7205</P><P></P><P>but the internal host is also being natted to an address within the dmz, like this:</P><P></P><P>static (inside,dmz) 12.2.200.101 10.100.1.9 netmask 255.255.255.255 </P><P></P><P>So how is the host on the dmz (12.2.200.10) accessing the internal host (10.100.1.9) using its private address? I thought ingress access lists always need to point to the public (global) address, not the private (that is the purpose).</P><P></P><P>It is working, I just don't know how</P> Mon, 11 Mar 2019 23:11:55 GMT Colin Higgins 2019-03-11T23:11:55Z https://community.cisco.com/t5/network-security/dmz-nat-question/m-p/1956953#M435775 <P>I have a setup like this (not real addresses--just testing here)</P><P></P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 12.200.200.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.100.1.1 255.255.255.0</P><P>!</P><P>interface Ethernet0/2</P><P> nameif dmz</P><P> security-level 50</P><P> ip address 12.2.200.1 255.255.255.0</P><P></P><P>Now internal clients access the dmz, and machines in the dmz access the internal clients. Therefore, we have access-lists like this:</P><P></P><P>access-list dmz extended permit tcp host 12.2.200.10 host 10.100.1.9 eq 7205</P><P></P><P>but the internal host is also being natted to an address within the dmz, like this:</P><P></P><P>static (inside,dmz) 12.2.200.101 10.100.1.9 netmask 255.255.255.255 </P><P></P><P>So how is the host on the dmz (12.2.200.10) accessing the internal host (10.100.1.9) using its private address? I thought ingress access lists always need to point to the public (global) address, not the private (that is the purpose).</P><P></P><P>It is working, I just don't know how</P> Mon, 11 Mar 2019 23:11:55 GMT https://community.cisco.com/t5/network-security/dmz-nat-question/m-p/1956953#M435775 Colin Higgins 2019-03-11T23:11:55Z https://community.cisco.com/t5/network-security/dmz-nat-question/m-p/1956954#M435776 <HTML><HEAD></HEAD><BODY><P>HI Colin,</P><P></P><P>The static statementy that you have is always for bi-dircetional traffic, which means it is both for the traffic initiated from inside to dmz and for dmz to inside, that's y you are abe to ping both ways. The private ip is staticay now binded to your public ip, so no matter which te tarffic is intiated, it would always be binded to that public ip.</P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Fri, 25 May 2012 19:06:58 GMT https://community.cisco.com/t5/network-security/dmz-nat-question/m-p/1956954#M435776 varrao 2012-05-25T19:06:58Z https://community.cisco.com/t5/network-security/dmz-nat-question/m-p/1956955#M435777 <HTML><HEAD></HEAD><BODY><P>Varun:</P><P></P><P>Teachnically speaking, shouldn't the host on the dmz (12.2.200.10) only see the internal host (10.100.1.9) at its natted address (12.2.200.101)?</P><P></P><P>Ther is also a general NAT statement</P><P></P><P>static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 </P><P></P><P>So if the dmz host 12.2.200.10 tries to open a session on port 7205 to inside host 10.100.1.9, it will use the general NAT</P><P></P><P>but if the inside host has a static NAT to a dmz address to 12.2.200.101, the access list will have to reference that public address, and the general NAT will not be used yes?</P><P></P><DIV id="ynano_hooks_page" style="display: none;"><DIV id="callsToClient_page" style="display: none;"> </DIV><DIV id="eventsFromClient_page" style="display: none;"> </DIV></DIV><DIV id="ynano_hooks_page" style="display: none;"><DIV id="callsToClient_page" style="display: none;"> </DIV><DIV id="eventsFromClient_page" style="display: none;"> </DIV></DIV></BODY></HTML> Fri, 25 May 2012 19:21:28 GMT https://community.cisco.com/t5/network-security/dmz-nat-question/m-p/1956955#M435777 Colin Higgins 2012-05-25T19:21:28Z https://community.cisco.com/t5/network-security/dmz-nat-question/m-p/1956956#M435778 <HTML><HEAD></HEAD><BODY><P>No, The order of operation of your statics would be top to bottom, when the inside host access teh dmz, it doesnt need an ACL since higher to lower is alowed by default, then next it would check the static and if your general static is above the specific nat, then always general would be hit and packets would go on real ip's.</P><P></P><P>May be I am wrong in assuming, but if you can share the output of:</P><P></P><P>show run static</P><P>show run nat</P><P>show run global</P><P>show run access-list</P><P></P><P></P><P>It should be clear.</P><P></P><P></P><P>Another very good tool to verify "packet-tracer"</P><P></P><P>packet-tracer input inside tcp 10.100.1.9 23456 12.2.200.10 7205 detailed.</P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Fri, 25 May 2012 19:51:41 GMT https://community.cisco.com/t5/network-security/dmz-nat-question/m-p/1956956#M435778 varrao 2012-05-25T19:51:41Z