Inside to Outside connection

Unanswered Question
Oct 16th, 2009
User Badges:

We have the following zones on our firewall:


Inside

Outside

DMZ


The inside contains a wireless 'guest' network (10.7.20.x/24) if I want to connect to a device in the DMZ (10.7.30.24) USING the mapped outside address 171.145.23.32, how would I do it?


I can always connect to it using the real address, but cannot connect using the outside address, is it possible from the inside to do this?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 10/16/2009 - 10:49
User Badges:
  • Green, 3000 points or more

Yes it's possible but you will lose the ability to connect to it with the real address.


static (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255

oneirishpollack Fri, 10/16/2009 - 11:15
User Badges:

Sorry, I posted a reply before I viewed your post - and you are dead on.


So help me figure this out. We have a "guest" network (inside address) that uses external DNS. If I use DNS Rewrite, the "guest" network can connect to the device in the DMZ, because the DNS answer is re-written with the internal address. I cannot however connect to the outside address of the device in the DMZ from the inside.


If I add the static entry static: (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255 , I can no longer connect to the inside address directly, but it does translate it and I can use the outside address.


Is there a way that would allow me to use either address (real and mapped) from the inside and connect?






oneirishpollack Fri, 10/16/2009 - 11:07
User Badges:

Alright I added the following entry:


static (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255


And now I can connect to the address from the inside. However, my inside clients can no longer connect to the DMZ device directly using it's local address. How do I get the best of both worlds?

Herbert Baerten Fri, 10/16/2009 - 13:35
User Badges:
  • Cisco Employee,

Use policy NAT:


access-list foo permit ip host 10.7.30.24 10.7.20.0 255.255.255.0


static (dmz,inside) 171.145.23.32 access-list foo


This way, 10.7.20.0/24 will be able to reach 171.145.23.32 but not 10.7.30.24


All other hosts on the inside will be able to reach 10.7.30.24 but not 171.145.23.32.



Actions

This Discussion