Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
3
Replies

PIX-Config

jeff.koh
Level 1
Level 1

‎12-16-2003 04:09 AM - edited ‎02-20-2020 11:09 PM

Hi,

I have 3 interfaces, outside, inside and DMZ. The DMZ servers are NAT'd to Public IP. I am allowing PUblic to access the DMZ servers via Public IP.

eg:

static (dmz, outside) 161.10.10.10 172.16.2.10 netmask 255.255.255.255

staic (dmz, outside) 161.10.10.11 172.16.2.11 netmask 255.255.255.255

this is from high security to low. What about users from the inside accessing to the DMZ server using public IP? Is the following statement correct?

static (dmz, inside) 161.10.10.10 172.16.2.10 netmask 255.255.255.255

static (dmz, inside) 161.10.10.11 172.16.2.11 netmask 255.255.255.255

thanks!

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎12-21-2003 05:41 PM

For inside users to access these servers via the public IP, you need to set up "destination NAT" in the PIX, where the PIX will see traffic destined for 161.10.10.10 and change the destination to 172.16.2.10.

The commands you specify above are exactly what's needed. This tells the PIX that if you see a packet on the inside interface for 161.10.10.10, change it to 172.16.2.10 and send it to the dmz interface.

What you could also do, if your DNS server is on the outside interface and it resolves to 161.10.10.10 when your users browse to these servers, is change your existing statics to:

static (dmz, outside) 161.10.10.10 172.16.2.10 dns netmask 255.255.255.255

staic (dmz, outside) 161.10.10.11 172.16.2.11 dns netmask 255.255.255.255

which tells the PIX that if it sees a DNS reply come through that has 161.10.10.10 in it, change it to 172.16.2.10, this way your users can browse to it via its public name and they won't have any idea what IP address they're actually connecting to.

This'll only work if the DNS server is on the outside though, otherwise use "Destination NAT" like you have done with the 2nd set of commands.

0 Helpful

baileja
Level 1
Level 1

‎02-06-2004 07:13 PM

Your config is correct.

0 Helpful

shannong
Level 4
Level 4

‎02-08-2004 07:25 PM

Your config is correct. However, don't forget that inside users must have some form of NAT on their way out to the DMZ. When going from high to low, the source address must always have some form of NAT configured. This can be accomplished with [static], [nat 0], or [nat][global].

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card