PIX 515E V 8.0 (3) DMZ question

Unanswered Question


A company is switching the ISP so PIX515E IP needs to be changed. I found that the DMZ interface is using a public IP and a web sever is using a puplic IP as well. Please see the configuration below:


name 206.x.x.211 DMZ-WEB


interface ethernet0

nameif outside

security-level 0

ip address 206.x.x.194

ospf cost 10


Interfase Ethernet 2

speed 100

nameif DMZ

security-level 4

ip address 206.x.x.209

ospf cost 10


static (DMZ, outside) DMZ-WEB DMZ-WEB netmask


I found the web server is using IP 206.x.x.211 as its IP.

My question is:

1. Is this a normal configuration?

2. NAT translates its self, is it a good idea?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 10/28/2009 - 11:53
User Badges:
  • Purple, 4500 points or more

You see this often. I personally prefer to use a private address space, but using the public is OK. The ACL is more important than the NAT.

Panos Kampanakis Wed, 10/28/2009 - 12:13
User Badges:
  • Cisco Employee,

Even though it is not very common it is not wrong.

Usually people use local ip addresses in their dmz and translate them to global ones when going to the outside. That is usually because they don't have enough global ip addresses for their inside.

In your case, as long as you have the ips available I don't see a reason why you should not do identity nat and use the global ip addresses on the inside.

I hope it helps.


Thank you for the help.

The current configuration is using two blocks of /28 IP, one for outside, one for the DMZ and one web server.

We'll switch to a new ISP and only one block of global IP can be used. So we'll use a private IP for the DMZ interface and will modify the "static" and "name" statement to do a real NAT. Is there any other command line need to be changed as well?



Amadou TOURE Wed, 10/28/2009 - 18:33
User Badges:


You would need also to change your outside ACL to authorize incoming traffic on related servers ports to new NAT(s) global IP address(es).



You're right. But I found that there're some ACLs like:

access-list outside_access_in extended permit tcp any host DMZ-WEB eq www

because the host is using a defind name "DMZ_WEB" so after name definition changed this ACL I don't hae to change it, right?

I may need to add some lines to permit inside users to access the web site or server. right?

The current configuration was done by ASDM, some places are hard to read. If I change it using CLI, can the change be seen in the ASDM screen?

I'm not a expert of PIX, so please advice!

I really appreciate it



This Discussion