Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
236
Views
0
Helpful
1
Replies

static NAT device across DMZs

wilson_1234_2
Level 3
Level 3

‎02-02-2009 12:27 PM - edited ‎03-11-2019 07:44 AM

I have a new DMZ that we created for a CSS to act as a DNS server.

The CSS will need to access several other DMZs for the services to check different servers.

All of the existing DMZs are of a higher security level than that of the new DMZ.

My question is regarding the NATing across the DMZs.

Is there a rule of thumb regarding security levels when creating the NATs?

For example, it would be more efficient for me to NAT the new DMZ CSS to the other DMZs, because the other DMZs have more than one server the CSS has to poll:

New_DMZ device =

192.168.8.2

interface security level = 5

DMZ1

192.168.9.5 (server1)

192.168.9.10 (server2)

interface 192.168.9.1

security level = 10

DMZ2

192.168.10.5 (server1)

192.168.10.10 (server2)

interface 192.168.10.1

security level = 11

Does it matter that I NAT the new DMZ device to the other two DMZs, rather than the other way around?

For example:

static (New_DMZ,Dmz1) 192.168.8.2 192.168.8.2 netmask 255.255.255.255

static (New_DMZ,Dmz2) 192.168.8.2 192.168.8.2 netmask 255.255.255.255

Labels:
0 Helpful
1 Reply 1

celiocarreto
Level 1
Level 1

‎02-03-2009 12:33 AM

Hi,

to communicate between DMZs you don't need any NAT. If you apply a adequate ACL they can communicate with each other.

Regards, Celio

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card