05-14-2008 04:44 PM - edited 03-11-2019 05:45 AM
Hi, all
I have some question regarding to the communication between inside and DMZ. Cisco configure example the link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml
according to this document.
DMZ IP: 192.168.1.0/24
inside IP: 172.20.1.1/24
the example gives configure communication from DMZ to inside by using static nat:
static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255
here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?
Not in this example but another: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml
when configuring communication from inside to DMZ by using real ip address:
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0.
what is reason using real ip? just easy? Does this give less security than by using PAT?
Thanks
Shawn
05-20-2008 02:14 PM
I think there is no mistake in this document. Might be some users to access it through the real address and some through the natted one. So they are using real ip.
05-20-2008 02:59 PM
My questiion has two parts. The first part is that in first example documents. the DMZ ip is:192.168.1.0/24, when they use nat they use static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255. the ip is 192.168.2.0. it is 192.168.2.20 not 192.168.1.20 different sub net.
the seocnd question I have is: is that best practice to use real ip when you want to configure communcation from inside to DMZ? is using nat more scurity that real ip?
Thanks
Shawn
05-20-2008 04:23 PM
Hi Shawn,
"here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?"
most likely it is a typo mistake. Having said that as long as routing is configured correctly 192.168.2.20 could also be used.
" what is reason using real ip? just easy? Does this give less security than by using PAT? "
The command (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0. is basically providing space for 254 static nats in one single instruction which otherwise would have to be entered one by one. In some scenarios you require to access the REAL IP address from the DMZ segment towards the internal and so in that situation you would use this type of instruction. Of course you can control that access by applying appropriate ACL entries to the dmz interface.
I hope it helps .. please rate helpful posts !!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: