09-04-2008 01:04 PM - edited 03-11-2019 06:40 AM
Hi there,
how would go about setting up access to a server on the dmz from the inside, not by using "nonat" (ie nat 0 or a static with same IP), but by accessing the server with an IP from the inside LAN ?
Thanks in advance.
09-04-2008 01:18 PM
Sorry, not sure i entirely understand. What is the inside IP, what is the DMZ IP and what do you want the inside IP address to be when it gets to the DMZ server ?
Jon
09-04-2008 01:28 PM
If there is not an ACL already on the inside interface and if the inside interface has a higher security level than the DMZ interface, then all you will need is an address translation. Either a static or a nat statement.
09-04-2008 01:41 PM
Thanks guys for your interest.
The answer may be simple, maybe its a bit too late for me.
I'll make it an example.
Inside is of higher security.
IP addresses
inside 192.168.1.0/24 pix: 192.168.1.1
dmz 192.168.2.0/24 pix: 192.168.2.1
dmz server 192.168.2.2
need inside users to connect to this server (Web!) by using a local IP, e.g. 192.168.1.2, not the 192.168.2.2 IP.
Thanks again.
09-04-2008 01:44 PM
static (outside,inside) 192.168.1.2 192.168.2.2 netmask 255.255.255.255
You need to make sure that 192.168.1.2 is not allocated to any device on the internal LAN.
Jon
09-04-2008 01:52 PM
Thanks Jon,
in other words you do
static (outside,inside)etc
just as if you allowing access to an internal server from the outside where you would have done
static (inside,outside) etc
Is that so ?
Thanks
09-04-2008 01:55 PM
Correct me if I'm wrong Jon, but I think you meant...
static (dmz,inside) 192.168.1.2 192.168.2.2 netmask 255.255.255.255
09-04-2008 01:58 PM
You have it correct. You need to have the DMZ and Inside interfaces.
09-04-2008 02:05 PM
Thanks,
I realise Jon meant to use dmz instead of outside.
So we agree that no matter whether the security level is from higher to lower, or lower to higher we use the same syntax for the static.
Any objections, pls advise.
09-04-2008 03:15 PM
Well yes and no as you'll notice that the interfaces in the static statement are reversed ie. the most common syntax for a static would be
static (inside,dmz) or
static (inside,outside)
whereas what you are doing here is reversing the interface order ie.
static (dmz,inside) or
static (inside,dmz)
Jon
09-04-2008 03:10 PM
Adam
Nice to know someone was paying attention :)
Yes i mean't dmz, thanks for clarifying.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: