Yes, this is the most common you can use. It works between higher security to lower security level subnet natting/mapping, i.e inside-outside, or dmz-outside.
The - static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 - command allows your inside and dmz segment to access each other via their original IP. DMZ can access inside servers via inside server's original IP of 10.0.0.xx, while inside can access DMZ original IP of 10.1.0.xx. Use ACL on both end to control which hosts can access across and vice-versa.
Apart from the above subnet mapping, you can also use the following method to map inside servers with DMZ IP address, as follow:
This will allow your DMZ hosts (10.1.0.27 & 10.1.0.31) to access the Inside server using DMZ's NATted IP of 10.1.0.100 instead of Inside server original IP of 10.0.0.52 (opposite to the above static command). Logically, this make inside server like sitting in DMZ segment as well.
To allow Inside host 10.0.0.52 access both DMZ servers (10.1.0.27 & 10.1.0.31), just define nat (inside)/global (dmz) pair with ACL to control the access:
nat (inside) 3 10.0.0.52
global (dmz) 3 10.1.0.101
access-list inside permit ip host 10.0.0.52 host 10.1.0.27
access-list inside permit ip host 10.0.0.52 host 10.1.0.31
access-list inside deny ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list inside permit ip 10.0.0.0 255.255.255.0 any
access-group inside in interface inside
The above will allow only 10.0.0.52 to access dmz's 10.1.0.27 & 10.1.0.31
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...