https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157118#M605946 <HTML><HEAD></HEAD><BODY><P>Hi Minul.</P><P></P><P>I have the problem to configure access from the whole dmz to (a subnet in) the inside and viceversa. </P><P></P><P>For dmz to inside connection, I understand from your reply that I need :</P><P>static (inside, dmz) 10.1.1.0 10.1.1.0 + access-list 102. </P><P></P><P>But what about inside to dmz connections? Do you mean that I need a simple</P><P>nat (inside) 0 access-list in-to-dmz </P><P>or that I need nothing else at all?</P><P></P><P>Thank you very much!</P><P>Michele </P></BODY></HTML> Thu, 15 May 2003 07:15:24 GMT m.laporta 2003-05-15T07:15:24Z https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157116#M605944 <P>Hi,</P><P></P><P>I have a cisco 520 pix firewall and have the inside, outside and dmz working well. The INSIDE was addded recently and now, I want the inside and dmz zones to communicate with each other. IS this possible. If then how?</P><P>can anyone help me out with some links or their own solutions?</P><P></P><P>thanks in advance.</P><P></P><P>Ramesh</P> Fri, 21 Feb 2020 06:44:36 GMT https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157116#M605944 ramesh.krishnan 2020-02-21T06:44:36Z https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157117#M605945 <HTML><HEAD></HEAD><BODY><P>Ramesh,</P><P>Yes, this will definitely work. For simplicity purpose lets have an example:</P><P></P><P>Inside : 10.1.1.0/24 network inside interface of pix: 10.1.1.1</P><P>dmz: 172.16.171.0/24 network dmz interface of pix: 172.16.171.1</P><P></P><P>For connection from inside to dmz: </P><P></P><P>nat (inside) 1 10.1.1.0</P><P>global (dmz) 1 interface</P><P></P><P>If you have acl appalied on inside interface, pl. make sure to allow the traffic from iunside to dmz. Also, if you have an existing nat for the outside, then you may apply the same nat to the dmz interface.</P><P></P><P>For connection from dmz to inside:</P><P></P><P>static (inside, dmz) 10.1.1.50 10.1.1.50 (lets say web server has ip 10.1.1.50)</P><P></P><P>access-list 102 permit tcp any host 10.1.1.50 permit 80</P><P></P><P>access-group dmz in</P><P></P><P>Note: if you want to allow the communication from dmz to inside, the whole network then you can define " static (inside, dmz) 10.1.1.0 10.1.1.0), in that case, you will not need the nat/global for the inside to outside communication.</P><P></P><P>I hope this helps ! Thanks,</P><P></P><P>Mynul </P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Wed, 14 May 2003 18:51:23 GMT https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157117#M605945 mhoda 2003-05-14T18:51:23Z https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157118#M605946 <HTML><HEAD></HEAD><BODY><P>Hi Minul.</P><P></P><P>I have the problem to configure access from the whole dmz to (a subnet in) the inside and viceversa. </P><P></P><P>For dmz to inside connection, I understand from your reply that I need :</P><P>static (inside, dmz) 10.1.1.0 10.1.1.0 + access-list 102. </P><P></P><P>But what about inside to dmz connections? Do you mean that I need a simple</P><P>nat (inside) 0 access-list in-to-dmz </P><P>or that I need nothing else at all?</P><P></P><P>Thank you very much!</P><P>Michele </P></BODY></HTML> Thu, 15 May 2003 07:15:24 GMT https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157118#M605946 m.laporta 2003-05-15T07:15:24Z https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157119#M605947 <HTML><HEAD></HEAD><BODY><P>Hi Michele,</P><P></P><P>Once you define static, you will not need anyting else. If you define nat (inside) 0 ACL then, this will superce static and will perform the same job. So, either of this two options will work for you. So, define either static or nat 0 ACL.</P><P></P><P>I hope its clear ! Thanks,</P><P></P><P>Mynul </P></BODY></HTML> Thu, 15 May 2003 20:43:00 GMT https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157119#M605947 mhoda 2003-05-15T20:43:00Z https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157120#M605948 <HTML><HEAD></HEAD><BODY><P>hi Mynul,</P><P></P><P>The same worked. thanks a lot...thanks a 100 times..... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>cheers,</P><P></P><P>Ramesh</P></BODY></HTML> Sun, 18 May 2003 11:40:41 GMT https://community.cisco.com/t5/network-security/pix-inside-dmz-problem/m-p/157120#M605948 ramesh.krishnan 2003-05-18T11:40:41Z