Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
4
Replies

Inside to Outside connection

oneirishpollack
Level 1
Level 1

‎10-16-2009 10:40 AM - edited ‎03-11-2019 09:26 AM

We have the following zones on our firewall:

Inside

Outside

DMZ

The inside contains a wireless 'guest' network (10.7.20.x/24) if I want to connect to a device in the DMZ (10.7.30.24) USING the mapped outside address 171.145.23.32, how would I do it?

I can always connect to it using the real address, but cannot connect using the outside address, is it possible from the inside to do this?

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎10-16-2009 10:49 AM

Yes it's possible but you will lose the ability to connect to it with the real address.

static (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255

0 Helpful

oneirishpollack
Level 1
Level 1
In response to acomiskey

‎10-16-2009 11:15 AM

Sorry, I posted a reply before I viewed your post - and you are dead on.

So help me figure this out. We have a "guest" network (inside address) that uses external DNS. If I use DNS Rewrite, the "guest" network can connect to the device in the DMZ, because the DNS answer is re-written with the internal address. I cannot however connect to the outside address of the device in the DMZ from the inside.

If I add the static entry static: (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255 , I can no longer connect to the inside address directly, but it does translate it and I can use the outside address.

Is there a way that would allow me to use either address (real and mapped) from the inside and connect?

0 Helpful

oneirishpollack
Level 1
Level 1

‎10-16-2009 11:07 AM

Alright I added the following entry:

static (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255

And now I can connect to the address from the inside. However, my inside clients can no longer connect to the DMZ device directly using it's local address. How do I get the best of both worlds?

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to oneirishpollack

‎10-16-2009 01:35 PM

Use policy NAT:

access-list foo permit ip host 10.7.30.24 10.7.20.0 255.255.255.0

static (dmz,inside) 171.145.23.32 access-list foo

This way, 10.7.20.0/24 will be able to reach 171.145.23.32 but not 10.7.30.24

All other hosts on the inside will be able to reach 10.7.30.24 but not 171.145.23.32.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card