10-16-2009 10:40 AM - edited 03-11-2019 09:26 AM
We have the following zones on our firewall:
Inside
Outside
DMZ
The inside contains a wireless 'guest' network (10.7.20.x/24) if I want to connect to a device in the DMZ (10.7.30.24) USING the mapped outside address 171.145.23.32, how would I do it?
I can always connect to it using the real address, but cannot connect using the outside address, is it possible from the inside to do this?
10-16-2009 10:49 AM
Yes it's possible but you will lose the ability to connect to it with the real address.
static (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255
10-16-2009 11:15 AM
Sorry, I posted a reply before I viewed your post - and you are dead on.
So help me figure this out. We have a "guest" network (inside address) that uses external DNS. If I use DNS Rewrite, the "guest" network can connect to the device in the DMZ, because the DNS answer is re-written with the internal address. I cannot however connect to the outside address of the device in the DMZ from the inside.
If I add the static entry static: (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255 , I can no longer connect to the inside address directly, but it does translate it and I can use the outside address.
Is there a way that would allow me to use either address (real and mapped) from the inside and connect?
10-16-2009 11:07 AM
Alright I added the following entry:
static (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255
And now I can connect to the address from the inside. However, my inside clients can no longer connect to the DMZ device directly using it's local address. How do I get the best of both worlds?
10-16-2009 01:35 PM
Use policy NAT:
access-list foo permit ip host 10.7.30.24 10.7.20.0 255.255.255.0
static (dmz,inside) 171.145.23.32 access-list foo
This way, 10.7.20.0/24 will be able to reach 171.145.23.32 but not 10.7.30.24
All other hosts on the inside will be able to reach 10.7.30.24 but not 171.145.23.32.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: