Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
0
Helpful
1
Replies

Accessing the Inside network from a DMZ

guy.hill
Level 1
Level 1

‎12-06-2001 12:01 PM - edited ‎03-08-2019 09:21 PM

Using NAT & Global to access Internet and DMZ from Inside - that works fine. Trying to access the Inside network from a DMZ, all the examples I have seen show a Static mapping to a single host on the Inside and an ACL to open access to that host from the DMZ - that works fine. But I need to give hosts on the DMZ access to ANY hosts on the Inside. Can this be done? I read something about using a "net static" but I don't get it. Can an ACL be used without a static mapping?

Labels:
0 Helpful
1 Reply 1

rrbleeker
Level 1
Level 1

‎12-06-2001 03:02 PM

If you want to open the whole internal network for hosts located on the DMZ, you might as well place these DMZ hosts in your internal network. If, for some unknown reason, you would like to open up the gate, you need to setup static translations and an access-list entry. In your case you can use the real IP addresses for your inside hosts and setup an access-list that allows ip any any. The mask used in your static commands indicates the number of hosts. Assuming a internal network of 192.168.1.0/24, your config would look like this:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-list 101 permit ip any 192.168.1.0 255.255.255.0

access-group 101 in interface dmz

You might want to reconsider your policy and limit traffic between the DMZ and internal network as much as possible. A compromise of an DMZ host should not result in a compromise of you whole network.

0 Helpful
Customers Also Viewed These Support Documents