https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240891#M611504 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>nat (inside) 0 will only allow you for one way communication i.e. from inside-&gt; DMZ.</P><P></P><P>with static (in,out) xxx xxx you can have bi directional communication.</P><P></P><P>Regards,</P><P>Nadeem</P></BODY></HTML> Mon, 20 Oct 2003 04:49:52 GMT nkhawaja 2003-10-20T04:49:52Z https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240888#M611494 <P>Hi.</P><P></P><P>I have two PC, one located in a DMZ and other in the inside network. Both must communicate bidirectionally across specific ports, but I want to disable NAT between them since I am handling an administrative application and it does not work with NAT. The DMZ and the inside network, it has different IP addressing Scheme.</P><P></P><P>Thanks in advance.</P><P></P><P>R.@.M.</P><P></P> Fri, 21 Feb 2020 07:03:05 GMT https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240888#M611494 ramiro 2020-02-21T07:03:05Z https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240889#M611496 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P> You probably want to try</P><P>static (inside,dmz) x.x.x.x x.x.x.x netmask 255.255.255.255</P><P>where x.x.x.x is ip address for pc on inside.</P><P>assume y.y.y.y is the ip for pc on dmz, </P><P>there is no problem from x.x.x.x to access to y.y.y.y</P><P>but you do need to add the permission for y.y.y.y to access to x.x.x.x ( access list or conduit ).</P><P></P><P>I hope this will help.</P><P></P><P>Tony</P></BODY></HTML> Mon, 20 Oct 2003 04:15:58 GMT https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240889#M611496 tohuang 2003-10-20T04:15:58Z https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240890#M611500 <HTML><HEAD></HEAD><BODY><P>Hi Tony. Thanks for your response.</P><P></P><P>Then I do not need to configure " nat (inside 0) "?.</P><P></P><P>Thanks again.</P><P></P><P>R.@.M.</P></BODY></HTML> Mon, 20 Oct 2003 04:34:12 GMT https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240890#M611500 ramiro 2003-10-20T04:34:12Z https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240891#M611504 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>nat (inside) 0 will only allow you for one way communication i.e. from inside-&gt; DMZ.</P><P></P><P>with static (in,out) xxx xxx you can have bi directional communication.</P><P></P><P>Regards,</P><P>Nadeem</P></BODY></HTML> Mon, 20 Oct 2003 04:49:52 GMT https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240891#M611504 nkhawaja 2003-10-20T04:49:52Z https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240892#M611506 <HTML><HEAD></HEAD><BODY><P>Ok, I understand. then I might do this:</P><P></P><P>static (inside,dmz) 192.168.2.11 192.168.2.11 netmask 255.255.255.255</P><P></P><P>Access-list dmz permit tcp host 172.31.4.20 host 192.168.2.11 eq <SERVICE></SERVICE></P><P></P><P>that's right?</P><P></P><P>R.@.M.</P><P></P></BODY></HTML> Mon, 20 Oct 2003 05:09:15 GMT https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240892#M611506 ramiro 2003-10-20T05:09:15Z https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240893#M611507 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P> Yes, that is correct. However, you pretty much have to apply this list to dmz interface. Remember that, there is always " deny ip any any " at the end of every access list.</P><P>which will deny the traffic going from dmz to outside. You want to be careful about this. </P><P> If you are not using PDM, since this is non-routable address, you can also use conduit statement. </P><P>I hope this helps.</P><P></P><P>Thanks</P><P></P><P>Tony</P></BODY></HTML> Tue, 21 Oct 2003 05:13:38 GMT https://community.cisco.com/t5/network-security/pix-configuration-inside-dmz-without-nat/m-p/240893#M611507 tohuang 2003-10-21T05:13:38Z