inside and DMZ

Unanswered Question
May 14th, 2008

Hi, all

I have some question regarding to the communication between inside and DMZ. Cisco configure example the link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

according to this document.

DMZ IP: 192.168.1.0/24

inside IP: 172.20.1.1/24

the example gives configure communication from DMZ to inside by using static nat:

static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255

here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?

Not in this example but another: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

when configuring communication from inside to DMZ by using real ip address:

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0.

what is reason using real ip? just easy? Does this give less security than by using PAT?

Thanks

Shawn

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
owillins Tue, 05/20/2008 - 14:14

I think there is no mistake in this document. Might be some users to access it through the real address and some through the natted one. So they are using real ip.

xiangdongbi Tue, 05/20/2008 - 14:59

My questiion has two parts. The first part is that in first example documents. the DMZ ip is:192.168.1.0/24, when they use nat they use static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255. the ip is 192.168.2.0. it is 192.168.2.20 not 192.168.1.20 different sub net.

the seocnd question I have is: is that best practice to use real ip when you want to configure communcation from inside to DMZ? is using nat more scurity that real ip?

Thanks

Shawn

Fernando_Meza Tue, 05/20/2008 - 16:23

Hi Shawn,

"here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?"

most likely it is a typo mistake. Having said that as long as routing is configured correctly 192.168.2.20 could also be used.

" what is reason using real ip? just easy? Does this give less security than by using PAT? "

The command (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0. is basically providing space for 254 static nats in one single instruction which otherwise would have to be entered one by one. In some scenarios you require to access the REAL IP address from the DMZ segment towards the internal and so in that situation you would use this type of instruction. Of course you can control that access by applying appropriate ACL entries to the dmz interface.

I hope it helps .. please rate helpful posts !!!

Actions

This Discussion