Global IP communications problems with outside interface

Unanswered Question
May 11th, 2007
User Badges:

Hi all. I have small problem I need help to figure out

I have a Global statement:

global (outside) 2 netmask

And my nat statement is:

nat (dmz2) 2 0 0

Now, I have a host inside DMZ2 that wants to talk to my PIX's outside interface which is:

So the traffic goes from insidehost -> gets PAT/NAT with (global interface) and then trying to contact the real outside interface But it dont work

In my DMZ2 ACL i have the rule "permit ip any any" just to be on the safe side.

My insidehost can contact other sites outside my PIX. (I Have 2 other pix with other ip-ranges that the inside host can contact without problems.)

So, is it possible for the global interface to contact the outside interface or is that denied somehow intentionaly`?

Or do i need to add a rule in the outside ACL that permits the outside interface to communicate with the global interface?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vitripat Fri, 05/11/2007 - 02:41
User Badges:
  • Gold, 750 points or more

This wont work. But why exactly do you need a DMZ host to communicate with PIX's outside interface IP address? If you can tell the requirement like a webserver on inside using PIX's outside interface IP address, we may be able to help.



It is recommended to use static nat translation for servers within a DMZ, for example.

static (dmz,outside) netmask

If (real address) is a webserver, then do:

access-l outside_in permit tcp any host eq 80

access-group outside_in in interface OUTSIDE


This Discussion