https://community.cisco.com/t5/network-security/inside-and-dmz/m-p/951833#M937707 <P>Hi, all</P><P></P><P>I have some question regarding to the communication between inside and DMZ. Cisco configure example the link: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml</A></P><P></P><P>according to this document.</P><P>DMZ IP: 192.168.1.0/24</P><P>inside IP: 172.20.1.1/24</P><P></P><P>the example gives configure communication from DMZ to inside by using static nat:</P><P>static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255 </P><P></P><P>here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?</P><P></P><P>Not in this example but another: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml</A></P><P> when configuring communication from inside to DMZ by using real ip address: </P><P>static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0.</P><P></P><P>what is reason using real ip? just easy? Does this give less security than by using PAT?</P><P></P><P>Thanks</P><P></P><P>Shawn</P><P></P><P></P><P></P><P></P><P></P> Mon, 11 Mar 2019 12:45:19 GMT xiangdongbi 2019-03-11T12:45:19Z https://community.cisco.com/t5/network-security/inside-and-dmz/m-p/951833#M937707 <P>Hi, all</P><P></P><P>I have some question regarding to the communication between inside and DMZ. Cisco configure example the link: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml</A></P><P></P><P>according to this document.</P><P>DMZ IP: 192.168.1.0/24</P><P>inside IP: 172.20.1.1/24</P><P></P><P>the example gives configure communication from DMZ to inside by using static nat:</P><P>static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255 </P><P></P><P>here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?</P><P></P><P>Not in this example but another: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml</A></P><P> when configuring communication from inside to DMZ by using real ip address: </P><P>static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0.</P><P></P><P>what is reason using real ip? just easy? Does this give less security than by using PAT?</P><P></P><P>Thanks</P><P></P><P>Shawn</P><P></P><P></P><P></P><P></P><P></P> Mon, 11 Mar 2019 12:45:19 GMT https://community.cisco.com/t5/network-security/inside-and-dmz/m-p/951833#M937707 xiangdongbi 2019-03-11T12:45:19Z https://community.cisco.com/t5/network-security/inside-and-dmz/m-p/951834#M937708 <HTML><HEAD></HEAD><BODY><P>I think there is no mistake in this document. Might be some users to access it through the real address and some through the natted one. So they are using real ip.</P></BODY></HTML> Tue, 20 May 2008 21:14:11 GMT https://community.cisco.com/t5/network-security/inside-and-dmz/m-p/951834#M937708 owillins 2008-05-20T21:14:11Z https://community.cisco.com/t5/network-security/inside-and-dmz/m-p/951835#M937709 <HTML><HEAD></HEAD><BODY><P>My questiion has two parts. The first part is that in first example documents. the DMZ ip is:192.168.1.0/24, when they use nat they use static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255. the ip is 192.168.2.0. it is 192.168.2.20 not 192.168.1.20 different sub net.</P><P></P><P>the seocnd question I have is: is that best practice to use real ip when you want to configure communcation from inside to DMZ? is using nat more scurity that real ip?</P><P></P><P>Thanks</P><P></P><P>Shawn </P><P></P></BODY></HTML> Tue, 20 May 2008 21:59:30 GMT https://community.cisco.com/t5/network-security/inside-and-dmz/m-p/951835#M937709 xiangdongbi 2008-05-20T21:59:30Z https://community.cisco.com/t5/network-security/inside-and-dmz/m-p/951836#M937710 <HTML><HEAD></HEAD><BODY><P>Hi Shawn,</P><P></P><P>"here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?"</P><P></P><P>most likely it is a typo mistake. Having said that as long as routing is configured correctly 192.168.2.20 could also be used.</P><P></P><P>" what is reason using real ip? just easy? Does this give less security than by using PAT? "</P><P></P><P>The command (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0. is basically providing space for 254 static nats in one single instruction which otherwise would have to be entered one by one. In some scenarios you require to access the REAL IP address from the DMZ segment towards the internal and so in that situation you would use this type of instruction. Of course you can control that access by applying appropriate ACL entries to the dmz interface.</P><P></P><P>I hope it helps .. please rate helpful posts !!!</P><P></P></BODY></HTML> Tue, 20 May 2008 23:23:36 GMT https://community.cisco.com/t5/network-security/inside-and-dmz/m-p/951836#M937710 Fernando_Meza 2008-05-20T23:23:36Z