Access DMZ ffom Inside

Unanswered Question
Dec 10th, 2008
User Badges:


I've got a web server in the DMZ (single IP address). I somehow managed to get the users from the inside interface to access the web server in the DMZ but sometimes its takes about 20 to 30 seconds to show up which is way too long. Is this to do with my DNS settings or with the PIX settings? Which of the two settings below should I use for the pix?

DMZ Subnet: /

DMZ web server:

Inside Subnet: /

static (inside,dmz) netmask

acl dmz permit tcp eq 80

access-group dmz in interface dmz

or no nat?

access-list nonat extended permit ip

nat (inside) 0 access-list nonat

Or should I create and ip pool?

If it's none of the above, could you please give me a suggestion of what to do (what config I should enter)?

Thanks. Appreciate it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 12/10/2008 - 10:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


You do not need the access-list

acl dmz permit tcp eq 80

access-group dmz in interface dmz

because the firewall is stateful so if the connection is initiated from the inside to the DMZ the return traffic will be allowed. So remove the access-list.

Static or nonat shouldn't make much differenc.

Are youi accessing the web server on the URL or by IP address. If URL how is that being resolved ?


mahirv8680 Thu, 12/11/2008 - 04:26
User Badges:

I'm accessing the web server in DMZ through URL. I've got DNS server on the inside and on the webserver in DMZ I also installed own DNS. I've entered records for web server on inside DNS to resolve name. Something else I should do?


This Discussion