Showing results for 
Search instead for 
Did you mean: 

Connet to DMZ server from insdie host using the DMZ outside IP

The setup is as in the attached picture.

Pix config is as follows:

access-list DMZ extended permit icmp host Pubsrv any

access-list ACLIN extended permit tcp any host eq www

access-list ACLIN extended permit tcp any host eq ftp

access-list ACLIN extended permit tcp any host eq ftp <<< Allow ftp to Public Server

access-list ACLIN extended permit icmp host Inetsrv host

access-group ACLIN in interface outside

access-group DMZ in interface dmz


nat (inside) 1

global (outside) 1

global (dmz) 1

static (dmz,outside) Pubsrv netmask <<Public Server static NAT

static (inside,outside) Insrv netmask <<Internal Server static NAT

static (inside,outside) Wstation netmask

static (inside,dmz) Wstation netmask

route outside 1


Pix interfaces are configured with IPs shown in figure and sec levels are in:100 - dmz:50 - out:0

I go to the "Internal Server" and do an: ftp which is the outside IP of the "Public Server" intstead of doing: ftp and connect to it directly, but it does not work and I cannot understand why.

As far as I understand the following steps should happen:

1)Internal Server (IP sends first ftp packet to Public Server (IP

2)pix receives the packet on the inside interface and makes static NAT for the src IP from to and send the pkt to outside interface (based on routing table)

3)pix sees dest IP address so it takes packet again in from the outside interface and performs static NAT for the dst IP from to and sends packet out to Public server at DMZ.

4)Public server responds and there should be no problem for the response to go back as the session is stored in the Session Table.

However this does not happen and I am very confused....

Nicholas Vigil

If I understand your situation correctly try adding the following command in your pix (not sure what version you are running):


Hope this helps.

Rising star

Hi .. your description of the issue is a bit confusing .. can you just post your config and with few words explaining what are you trying to achieve.

the config I put above is the full config minus the interface configs.(which are correct). look at the attached picture to see the topology.

my question is this. when I am on an inside host (Internal Server or Workstation) and I make ftp (dmz real IP) it works. when I make ftp (dmz static translated IP) it does not.

in other words, I try to ftp from inside to dmz server via the dmz server outside IP. Is it clear now?

Content for Community-Ad