Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
1
Replies

PIX w/multiple DMZ

sandonen
Level 1
Level 1

‎02-26-2004 07:35 AM - edited ‎02-20-2020 11:15 PM

I'm a little confused with most of the documentation I found on the Cisco website. In some documentation, they should if you are going from inside to dmz, then use

Static (inside, dmz) 172.18.1.0 172.18.1.0 netmask 255.255.255.0

In other docs, use NAT (inside) 0.

What one leads itself to a better overall configuration if you have requirements for multiple DMZ areas with security requirements for each.

0 Helpful
1 Reply 1

peangvall
Level 1
Level 1

‎02-26-2004 11:50 AM

If you put in something like nat (inside) 0 192.168.1.0 255.255.255.0, then those addresses will never be NAT'd, even if they go outside since you can't tie a Nat 0 to a global 0. So that's not a good idea. You could do a nat (inside) 0 access-list NONAT to specify the source and dest, but that is kind of messy. That said, if you need to access a higher int (inside) from a lower int (dmz), then you have to use static's as nat's are only for outbound.

As a general rule, if I have inside hosts that need to get to the dmz, I just static the whole inside block just like you did in your question. It is cleaner and easier to understand and there are no security issues. Then if you need to add an acl entry back to the inside, the static is already there.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card