NAT DMZ question

Unanswered Question
Oct 30th, 2008
User Badges:

I have a question about NATing I do not fully understand.

Normally when I think of NATing an IP Address, I think in terms of the outside interface and public address subnet. If I have a server on the inside network and an available public address in my subnet, I can NAT that server to the available address. The users accessing the NATed address are routed to the outside interface and then hit the NATed address which is translated to an inside or DMZ address.

So it is as if a device not on the outside interface of the firewall is routed to hit the interface, which has a NATed address from the public subnet on it


Suppose I have an inside interface:

a DMZ interface

with a server

Now, If I have a host that I want to allow access to the DMZ server, and I NAT the inside host to the DMZ:

static (inside,DMZ) netmask

If the DMZ server initiates traffic to the inside host, it is as if both of those devices are on the same interface.

So the DMZ server hits the NATed address, which it sees on the same interface.

Does it work like a secondary interface on a router, that anything on the network gets automatically routed to the host?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 10/30/2008 - 18:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


This is a quirk of Cisco firewalls and NAT. On most other firewalls you only need to NAT when you are actually changing the IP address whereas with Cisco (unless you turn off NAT) even if you want to present the same inside address to the outside you still need a NAT statement for it. I haven't seen this behaviour on any other firewalls but i don't claim to have worked on all different types of firewalls.

The DMZ server does not see on the same interface. The DMZ server merely works out that is on a different subnet than it is on and therefore sends it to it's default-gateway which should be the DMZ interface on the Pix. The pix then knows where to send it. But the server has no knowledge of this.


wilson_1234_2 Thu, 10/30/2008 - 19:29
User Badges:

Thanks jon.

I appreciate it.

Check out my update to the "office politics" post.


This Discussion