https://community.cisco.com/t5/network-security/global-ip-communications-problems-with-outside-interface/m-p/800631#M990015 <HTML><HEAD></HEAD><BODY><P>It is recommended to use static nat translation for servers within a DMZ, for example.</P><P></P><P>static (dmz,outside) 66.44.44.33 192.168.1.1 netmask 255.255.255.255</P><P></P><P>If 192.168.1.1 (real address) is a webserver, then do:</P><P></P><P>access-l outside_in permit tcp any host 66.44.44.33 eq 80</P><P></P><P>access-group outside_in in interface OUTSIDE</P></BODY></HTML> Sat, 12 May 2007 23:04:18 GMT joshua.walton 2007-05-12T23:04:18Z https://community.cisco.com/t5/network-security/global-ip-communications-problems-with-outside-interface/m-p/800628#M990012 <P>Hi all. I have small problem I need help to figure out</P><P></P><P>I have a Global statement:</P><P>global (outside) 2 1.1.1.10 netmask 255.255.255.240</P><P>And my nat statement is:</P><P>nat (dmz2) 2 0.0.0.0 0.0.0.0 0 0</P><P></P><P>Now, I have a host inside DMZ2 that wants to talk to my PIX's outside interface which is: 1.1.1.3</P><P></P><P>So the traffic goes from insidehost -&gt; gets PAT/NAT with 1.1.1.10 (global interface) and then trying to contact the real outside interface 1.1.1.3. But it dont work</P><P></P><P>In my DMZ2 ACL i have the rule "permit ip any any" just to be on the safe side.</P><P>My insidehost can contact other sites outside my PIX. (I Have 2 other pix with other ip-ranges that the inside host can contact without problems.)</P><P></P><P>So, is it possible for the global interface to contact the outside interface or is that denied somehow intentionaly`?</P><P></P><P>Or do i need to add a rule in the outside ACL that permits the outside interface to communicate with the global interface?</P><P>Regards</P><P>Anders</P> Mon, 11 Mar 2019 10:12:43 GMT https://community.cisco.com/t5/network-security/global-ip-communications-problems-with-outside-interface/m-p/800628#M990012 anders.lindback 2019-03-11T10:12:43Z https://community.cisco.com/t5/network-security/global-ip-communications-problems-with-outside-interface/m-p/800629#M990013 <HTML><HEAD></HEAD><BODY><P>This wont work. But why exactly do you need a DMZ host to communicate with PIX's outside interface IP address? If you can tell the requirement like a webserver on inside using PIX's outside interface IP address, we may be able to help.</P><P></P><P>Regards,</P><P>Vibhor.</P></BODY></HTML> Fri, 11 May 2007 09:41:34 GMT https://community.cisco.com/t5/network-security/global-ip-communications-problems-with-outside-interface/m-p/800629#M990013 vitripat 2007-05-11T09:41:34Z https://community.cisco.com/t5/network-security/global-ip-communications-problems-with-outside-interface/m-p/800630#M990014 <HTML><HEAD></HEAD><BODY><P>hi</P><P></P><P>might have figured something out, gonna test and come back later</P><P></P><P>brb</P></BODY></HTML> Fri, 11 May 2007 10:03:05 GMT https://community.cisco.com/t5/network-security/global-ip-communications-problems-with-outside-interface/m-p/800630#M990014 anders.lindback 2007-05-11T10:03:05Z https://community.cisco.com/t5/network-security/global-ip-communications-problems-with-outside-interface/m-p/800631#M990015 <HTML><HEAD></HEAD><BODY><P>It is recommended to use static nat translation for servers within a DMZ, for example.</P><P></P><P>static (dmz,outside) 66.44.44.33 192.168.1.1 netmask 255.255.255.255</P><P></P><P>If 192.168.1.1 (real address) is a webserver, then do:</P><P></P><P>access-l outside_in permit tcp any host 66.44.44.33 eq 80</P><P></P><P>access-group outside_in in interface OUTSIDE</P></BODY></HTML> Sat, 12 May 2007 23:04:18 GMT https://community.cisco.com/t5/network-security/global-ip-communications-problems-with-outside-interface/m-p/800631#M990015 joshua.walton 2007-05-12T23:04:18Z