Re: DMZ to inside - want servers to be see with original ips.

briapolo · ‎06-23-2003

I have a 10.x.x.x network on the inside interface (100). I have semi-rogue network being hooked up to ethernet6 (90) which is going to be 10.y.y.y. I would like for the 10.y.y.y network be able to see all the servers on the inside with the original 10.x.x.x addresses. Is this possible? if so, how?

mostiguy · ‎06-23-2003

yup.

you probably have a nat 1 statements for all traffic from that interface. what you want to add is a nat 0 access-list statement that selective excludes traffic from nat. If 1.2.3.0/24 was the netblock used on e6, then this is basically what you would want to do:

access-list 106 permit ip 10.x.x.x 255.0.0.0 1.2.3.0 255.255.255.0

nat (inside) 0 access-list 106

this would stop 10.0.0.0/8 from natting traffic only when the destination is 1.2.3.0/24

bdube · ‎06-23-2003

Yes,

Just to create a static statement using the same IP for low sec & high sec interface:

static (inside,dmz) 10.x.x.x 10.x.x.x netmask 255.0.0.0

access-list ondmz ip 10.y.y.y 255.0.0.0 10.x.x.x 255.0.0.0

access-group ondmz interface dmz

I write it roughly, check the syntax to be sure

Ben