×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX w/multiple DMZ

Unanswered Question
Feb 26th, 2004
User Badges:

I'm a little confused with most of the documentation I found on the Cisco website. In some documentation, they should if you are going from inside to dmz, then use


Static (inside, dmz) 172.18.1.0 172.18.1.0 netmask 255.255.255.0


In other docs, use NAT (inside) 0.


What one leads itself to a better overall configuration if you have requirements for multiple DMZ areas with security requirements for each.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
peangvall Thu, 02/26/2004 - 11:50
User Badges:

If you put in something like nat (inside) 0 192.168.1.0 255.255.255.0, then those addresses will never be NAT'd, even if they go outside since you can't tie a Nat 0 to a global 0. So that's not a good idea. You could do a nat (inside) 0 access-list NONAT to specify the source and dest, but that is kind of messy. That said, if you need to access a higher int (inside) from a lower int (dmz), then you have to use static's as nat's are only for outbound.


As a general rule, if I have inside hosts that need to get to the dmz, I just static the whole inside block just like you did in your question. It is cleaner and easier to understand and there are no security issues. Then if you need to add an acl entry back to the inside, the static is already there.

Actions

This Discussion