Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
5
Replies

access dmz from inside

acristofari
Level 1
Level 1

‎07-14-2006 05:19 AM - edited ‎03-09-2019 03:35 PM

hello

sorry but i have a problem

i have a pix firewall 515 with 3 interface inside dmz and outside

inside 10.34.10.0

dmz 192.168.1.0

outside 151.x.x.x

i need to reach from inside the dmz client and opposite, without nat, and the dmz to get internet with nat.

I configured

nat (dmz) 2 192.168.1.0 255.255.255.0 0 0

global (outside) 2 151.x.x.1

access-list dmz_inside_in line 1 permit ip 192.168.1.0 255.255.255.0 any

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I don't reach the host from inside to dmz and opposite

Labels:
0 Helpful
5 Replies 5

Terry Pattinson
Level 1
Level 1

‎07-14-2006 06:01 AM

if you don't want NAT use the special 0 NAT group

nat (inside) 0 192.168.1.0 255.255.255.0

This disables the NAT process.

When going from a higher (inside) to lower (dmz) interface, you don't - by default - need to specify an ACL. Of course, your acl doesn't actually do anything unless you apply it.

HTH,

Terry

0 Helpful

acristofari
Level 1
Level 1
In response to Terry Pattinson

‎07-14-2006 06:16 AM

thanks

but i need use nat for internet from dmz,

and don't use nat from dmz to inside.

0 Helpful

a.hajhamad
Level 4
Level 4
In response to acristofari

‎07-14-2006 02:01 PM

Hi,

Do the following :

static 10.34.10.0 10.34.10.0 netmask 255.255.255.0

Static REAL-IP-Address 192.168.1.5 netmask 255.255.255.255

I hope this is helpful!

I think this document will help you.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Plz. rate if it does!

Thanks

Abd Alqader

0 Helpful

grant.maynard
Level 4
Level 4

‎07-14-2006 01:51 PM

The old rule used to be "high security -> low = nat+global, low -> high = static+ACL", although it gets more confusing when you have more interfaces and don't always want to NAT.

A traffic flow is always source->destination and therefore only involves two interfaces. So think of your traffic as being flows between two interfaces. Here we have two flows: when dmz accesses internet dmz=high, internet=low; when dmz accesses inside, inside=high, dmz=low. Therefore you're needing nat+global for the dmz->internet, and static for dmz->inside.

You have the correct lines to NAT your internet access:

nat (dmz) 2 192.168.1.0 255.255.255.0 0 100

global (outside) 2 151.x.x.1

The next line allows inside IPs to be visible to dmz (you still need ACL to permit traffic):

static (inside,dmz) 10.34.10.0 10.34.10.0 netmask 255.255.255.0

0 Helpful

koksm
Level 1
Level 1
In response to grant.maynard

‎07-25-2006 12:54 AM

guru's, what if, in this exact situation, i want to NAT the source addresses of traffic coming from DMZ to inside? Is that possible?

And what actually happens when you reverse the interfaces in the static line?

Like: static (DMZ,inside) x.x.x.x x.x.x.x netmask x.x.x.x

0 Helpful
Customers Also Viewed These Support Documents