static NAT device across DMZs

Unanswered Question
Feb 2nd, 2009
User Badges:

I have a new DMZ that we created for a CSS to act as a DNS server.

The CSS will need to access several other DMZs for the services to check different servers.

All of the existing DMZs are of a higher security level than that of the new DMZ.

My question is regarding the NATing across the DMZs.

Is there a rule of thumb regarding security levels when creating the NATs?

For example, it would be more efficient for me to NAT the new DMZ CSS to the other DMZs, because the other DMZs have more than one server the CSS has to poll:

New_DMZ device =

interface security level = 5

DMZ1 (server1) (server2)


security level = 10

DMZ2 (server1) (server2)


security level = 11

Does it matter that I NAT the new DMZ device to the other two DMZs, rather than the other way around?

For example:

static (New_DMZ,Dmz1) netmask

static (New_DMZ,Dmz2) netmask

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
celiocarreto Tue, 02/03/2009 - 00:33
User Badges:


to communicate between DMZs you don't need any NAT. If you apply a adequate ACL they can communicate with each other.

Regards, Celio


This Discussion