DMZ to Interal Network?

Unanswered Question
Jul 31st, 2007

Hey guys

I have 3 nets - an outside/29, an inside, and a DMZ I would like a few servers in the DMZ to be able to talk to a few servers on the inside net, just a few ports. What is the correct way to establish this?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
srue Tue, 07/31/2007 - 11:06

enable static commands as follows:

static (inside,dmz)

enable access-list on dmz interface:

access-list dmz_acl permit tcp host host eq 80

access-group dmz_acl in interface dmz

this is an example to enable dmz host at to access on the inside on tcp port 80.

acomiskey Tue, 07/31/2007 - 11:08

Something like this will do the trick. Obviously the permit statements in the acl would be whatever you needed, I just used an example to allow the dmz to 3 inside hosts.

static (inside, dmz) netmask

access-list dmz permit ip any host

access-list dmz permit ip any host

access-list dmz permit ip any host

access-list dmz deny ip any

access-list dmz permit ip any any

access-group dmz in interface DMZ

The last 2 lines in the acl are important if you want the DMZ to be able to access the outside.

Please rate helpful posts.

srue Tue, 07/31/2007 - 11:15

oh yeah, don't forget those last two lines of acomiskey's config...VERY important. *slaps self for forgetting them*

these configs also assume nat-control is configured btw, if you're running 7.x.


This Discussion