PIX/ASA public IP DMZ without NATing to Outside IP address

Unanswered Question
Feb 27th, 2007

Hi, I have T1 with a class C that is subnetted into two for Outside

and DMZ network with Inside using private IP address. My question is

how do I configure the DMZ to use the public address without NATing to

the Outside IP address. All the config sample I found uses Outside

public IP address NATed to the DMZ private network? i.e., DMZ with web

server using IP address from Outside network.


I am looking for sample configuration that uses public IP on the

Outside, public IP on DMZ and Private IP on the Inside.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sebastan_bach Tue, 02/27/2007 - 07:47

hi this is very simple.

first of all i am sure that ur security level for dmz will be higher as compared to outside interface.

as u are using public ip;s in the dmz segment.

if u are talking abt traffic initiated from the dmz to the outside without natting to the outside ip cause dmz is already using public ip;s.

if u are using code 7.0 and above. by default no nat-control is enabled. it means natting is not mandatory for traffic from a higher security level interface to a lower one. like in ur case from dmz to outside.

u can check whether nat-control is disabled or not with the command.

sh run nat-control.

if nat-control is disabled then it should solve ur problem.

if nat-control is enabled then natting is required from higher to lower security level interface.

in this case either u can disable nat-control with the no nat-control command on the global config mode.

or u can do a nat 0 that is nat exemption for traffic from dmz to outside. which means it will not translate traffic going from dmz to outside.

eg: ur dmz subnet is which u don;t want to be natted to the outside ip while going out.

nat (dmz) 0

this do the required job.

i hope this solves ur query.

if u have more questions do write back.



cscoesudo Thu, 03/01/2007 - 23:06

I am using PIX v7.1, and I tried your recommendation. I have dmz with security level 10 and inside security level 100.

I am natting from inside out but I don't want to nat from dmz to outside, is this correct?

nat (inside) 1

nat (dmz) 0

With this configuration, will I be able to access any host in the dmz? TIA.

vitripat Fri, 03/02/2007 - 03:56

As per your requirements, assuming that server on DMZ is x.x.x.x (which is a public IP address). You can configure your PIX to allow traffic to this server from outside as shown below-

static (dmz,outside) x.x.x.x x.x.x.x

access-list outside_in permit tcp any host x.x.x.x 25

access-group outside_in in interface outside

Notice that we have used same IP address twice in the static command. Normally one of those IP address is the private IP address when server on DMZ is given a private IP address. This form of static command is called "self-static". You can use the same template in your scenario with your existing access-lists/groups.

Hope this helps.



cscoesudo Fri, 03/02/2007 - 12:50

I tried the about suggestions, but I cannot access port 25 to the host inside the DMZ. And the dmz host cannot go to the Internet or ping anything other than the DMZ interface.

access-list acl_out line 36 extended permit tcp any host 205.158.XX.XX eq smtp

static (dmz,outside) 205.158.XX.XX 205.158.XX.XX netmask

access-list acl_dmz extended permit tcp host 205.158.XX.XX any

access-group acl_dmz in interface dmz

Any other suggestions, TIA.

acomiskey Fri, 03/02/2007 - 12:57

Is that your entire access-list acl_dmz? If so, that would explain why you cannot ping.

cscoesudo Sat, 03/03/2007 - 22:47

Here is the config for the dmz, but I cannot ping or telnet to port 25 to dmz host.

access-list acl_dmz extended permit tcp any host 205.158.XX.YY eq smtp

access-list acl_dmz extended permit icmp any any

access-group acl_dmz in interface dmz


This Discussion