topic static NAT device across DMZs in Network Security https://community.cisco.com/t5/network-security/static-nat-device-across-dmzs/m-p/1223990#M876963 <P>I have a new DMZ that we created for a CSS to act as a DNS server.</P><P></P><P>The CSS will need to access several other DMZs for the services to check different servers.</P><P></P><P>All of the existing DMZs are of a higher security level than that of the new DMZ.</P><P>My question is regarding the NATing across the DMZs.</P><P></P><P>Is there a rule of thumb regarding security levels when creating the NATs?</P><P></P><P>For example, it would be more efficient for me to NAT the new DMZ CSS to the other DMZs, because the other DMZs have more than one server the CSS has to poll:</P><P></P><P>New_DMZ device = </P><P>192.168.8.2</P><P>interface security level = 5</P><P></P><P>DMZ1</P><P>192.168.9.5 (server1)</P><P>192.168.9.10 (server2)</P><P>interface 192.168.9.1</P><P>security level = 10</P><P></P><P>DMZ2</P><P>192.168.10.5 (server1)</P><P>192.168.10.10 (server2)</P><P>interface 192.168.10.1</P><P>security level = 11</P><P></P><P>Does it matter that I NAT the new DMZ device to the other two DMZs, rather than the other way around? </P><P></P><P>For example:</P><P></P><P>static (New_DMZ,Dmz1) 192.168.8.2 192.168.8.2 netmask 255.255.255.255</P><P>static (New_DMZ,Dmz2) 192.168.8.2 192.168.8.2 netmask 255.255.255.255</P><P></P> Mon, 11 Mar 2019 14:44:49 GMT wilson_1234_2 2019-03-11T14:44:49Z static NAT device across DMZs https://community.cisco.com/t5/network-security/static-nat-device-across-dmzs/m-p/1223990#M876963 <P>I have a new DMZ that we created for a CSS to act as a DNS server.</P><P></P><P>The CSS will need to access several other DMZs for the services to check different servers.</P><P></P><P>All of the existing DMZs are of a higher security level than that of the new DMZ.</P><P>My question is regarding the NATing across the DMZs.</P><P></P><P>Is there a rule of thumb regarding security levels when creating the NATs?</P><P></P><P>For example, it would be more efficient for me to NAT the new DMZ CSS to the other DMZs, because the other DMZs have more than one server the CSS has to poll:</P><P></P><P>New_DMZ device = </P><P>192.168.8.2</P><P>interface security level = 5</P><P></P><P>DMZ1</P><P>192.168.9.5 (server1)</P><P>192.168.9.10 (server2)</P><P>interface 192.168.9.1</P><P>security level = 10</P><P></P><P>DMZ2</P><P>192.168.10.5 (server1)</P><P>192.168.10.10 (server2)</P><P>interface 192.168.10.1</P><P>security level = 11</P><P></P><P>Does it matter that I NAT the new DMZ device to the other two DMZs, rather than the other way around? </P><P></P><P>For example:</P><P></P><P>static (New_DMZ,Dmz1) 192.168.8.2 192.168.8.2 netmask 255.255.255.255</P><P>static (New_DMZ,Dmz2) 192.168.8.2 192.168.8.2 netmask 255.255.255.255</P><P></P> Mon, 11 Mar 2019 14:44:49 GMT https://community.cisco.com/t5/network-security/static-nat-device-across-dmzs/m-p/1223990#M876963 wilson_1234_2 2019-03-11T14:44:49Z Re: static NAT device across DMZs https://community.cisco.com/t5/network-security/static-nat-device-across-dmzs/m-p/1223991#M876968 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>to communicate between DMZs you don't need any NAT. If you apply a adequate ACL they can communicate with each other.</P><P></P><P>Regards, Celio</P></BODY></HTML> Tue, 03 Feb 2009 08:33:22 GMT https://community.cisco.com/t5/network-security/static-nat-device-across-dmzs/m-p/1223991#M876968 celiocarreto 2009-02-03T08:33:22Z