cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
873
Views
0
Helpful
8
Replies

Accessing Perimiter NAT IP from Inside host

nojpt
Level 1
Level 1

I don't know if this is possible, would appreciate any insight.

I have a host on my perimeter interface (DMZ) Natted to outside with a public IP address. I want to access this host on the DMZ using its Natted public IP address (on the outside interface). So far i have no success.

Thanks in advance.

Jon

1 Accepted Solution

Accepted Solutions

NP - it got me thinking, could not let it go, had to test it ;o)

Good question - sadly no, the PIX/ASA does not use that logic, the syntax is correct:-

static (dmz,inside) x.x.x.x y.y.y.y 255.255.255.0

x.x.x.x - external IP

y.y.y.y - dmz ip

View solution in original post

8 Replies 8

andrew.prince
Level 10
Level 10

Jon,

Are you trying to access the DMZ host using the outside IP from the inside?

Yes, im trying to access the dmz host via its natted ip on the outside (public IP).

I stand corrected - but as far as I am aware this is not possible.

Going from the inside - to the outside, back into the outside into the DMZ. From the DMZ to the outside, back into the outside into the inside.....does this cover it?

I just cannot see how that is possible - or even why you would want to do it?

However with the above, it had peaked my interest - I have just been in the lab and found a way to do it:-

static (dmz,inside) xx.xx.xx.xx ii.ii.ii.ii netmask 255.255.255.255

Where xx.xx.xx.xx is the EXTERNAL address and ii.ii.ii.ii is the address on the DMZ

HTH.

Hi Andrew,

Glad that you get out of your way to test this on your lab.

One question though, isn't it the syntax for static goes this way:

Static (high_security_int,low_security_int) low_ip high_ip netmask 255.255.255.255 ???

Where INSIDE is always the highest security interface, etc. So just wondering if the command syntax is right.

Will have to test this as well.

NP - it got me thinking, could not let it go, had to test it ;o)

Good question - sadly no, the PIX/ASA does not use that logic, the syntax is correct:-

static (dmz,inside) x.x.x.x y.y.y.y 255.255.255.0

x.x.x.x - external IP

y.y.y.y - dmz ip

It does work! Thanks so much! Im rating your response.

Excellent - no problem - thanks very much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: