PIX - Access DMZ server using an inside IP

Unanswered Question
Sep 4th, 2008

Hi there,

how would go about setting up access to a server on the dmz from the inside, not by using "nonat" (ie nat 0 or a static with same IP), but by accessing the server with an IP from the inside LAN ?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 09/04/2008 - 13:18

Sorry, not sure i entirely understand. What is the inside IP, what is the DMZ IP and what do you want the inside IP address to be when it gets to the DMZ server ?


mcvhintex Thu, 09/04/2008 - 13:28

If there is not an ACL already on the inside interface and if the inside interface has a higher security level than the DMZ interface, then all you will need is an address translation. Either a static or a nat statement.

soilemezis Thu, 09/04/2008 - 13:41

Thanks guys for your interest.

The answer may be simple, maybe its a bit too late for me.

I'll make it an example.

Inside is of higher security.

IP addresses

inside pix:

dmz pix:

dmz server

need inside users to connect to this server (Web!) by using a local IP, e.g., not the IP.

Thanks again.

Jon Marshall Thu, 09/04/2008 - 13:44

static (outside,inside) netmask

You need to make sure that is not allocated to any device on the internal LAN.


soilemezis Thu, 09/04/2008 - 13:52

Thanks Jon,

in other words you do

static (outside,inside)etc

just as if you allowing access to an internal server from the outside where you would have done

static (inside,outside) etc

Is that so ?


acomiskey Thu, 09/04/2008 - 13:55

Correct me if I'm wrong Jon, but I think you meant...

static (dmz,inside) netmask

mcvhintex Thu, 09/04/2008 - 13:58

You have it correct. You need to have the DMZ and Inside interfaces.

soilemezis Thu, 09/04/2008 - 14:05


I realise Jon meant to use dmz instead of outside.

So we agree that no matter whether the security level is from higher to lower, or lower to higher we use the same syntax for the static.

Any objections, pls advise.

Jon Marshall Thu, 09/04/2008 - 15:15

Well yes and no as you'll notice that the interfaces in the static statement are reversed ie. the most common syntax for a static would be

static (inside,dmz) or

static (inside,outside)

whereas what you are doing here is reversing the interface order ie.

static (dmz,inside) or

static (inside,dmz)


Jon Marshall Thu, 09/04/2008 - 15:10


Nice to know someone was paying attention :)

Yes i mean't dmz, thanks for clarifying.



This Discussion