Inside to Outside connection

Unanswered Question
Oct 16th, 2009
User Badges:

We have the following zones on our firewall:




The inside contains a wireless 'guest' network (10.7.20.x/24) if I want to connect to a device in the DMZ ( USING the mapped outside address, how would I do it?

I can always connect to it using the real address, but cannot connect using the outside address, is it possible from the inside to do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 10/16/2009 - 10:49
User Badges:
  • Green, 3000 points or more

Yes it's possible but you will lose the ability to connect to it with the real address.

static (DMZ,inside) netmask

oneirishpollack Fri, 10/16/2009 - 11:15
User Badges:

Sorry, I posted a reply before I viewed your post - and you are dead on.

So help me figure this out. We have a "guest" network (inside address) that uses external DNS. If I use DNS Rewrite, the "guest" network can connect to the device in the DMZ, because the DNS answer is re-written with the internal address. I cannot however connect to the outside address of the device in the DMZ from the inside.

If I add the static entry static: (DMZ,inside) netmask , I can no longer connect to the inside address directly, but it does translate it and I can use the outside address.

Is there a way that would allow me to use either address (real and mapped) from the inside and connect?

oneirishpollack Fri, 10/16/2009 - 11:07
User Badges:

Alright I added the following entry:

static (DMZ,inside) netmask

And now I can connect to the address from the inside. However, my inside clients can no longer connect to the DMZ device directly using it's local address. How do I get the best of both worlds?

Herbert Baerten Fri, 10/16/2009 - 13:35
User Badges:
  • Cisco Employee,

Use policy NAT:

access-list foo permit ip host

static (dmz,inside) access-list foo

This way, will be able to reach but not

All other hosts on the inside will be able to reach but not


This Discussion