Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Accessing Perimiter NAT IP from Inside host

I don't know if this is possible, would appreciate any insight.

I have a host on my perimeter interface (DMZ) Natted to outside with a public IP address. I want to access this host on the DMZ using its Natted public IP address (on the outside interface). So far i have no success.

Thanks in advance.

Jon

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Accessing Perimiter NAT IP from Inside host

NP - it got me thinking, could not let it go, had to test it ;o)

Good question - sadly no, the PIX/ASA does not use that logic, the syntax is correct:-

static (dmz,inside) x.x.x.x y.y.y.y 255.255.255.0

x.x.x.x - external IP

y.y.y.y - dmz ip

8 REPLIES

Re: Accessing Perimiter NAT IP from Inside host

Jon,

Are you trying to access the DMZ host using the outside IP from the inside?

New Member

Re: Accessing Perimiter NAT IP from Inside host

Yes, im trying to access the dmz host via its natted ip on the outside (public IP).

Re: Accessing Perimiter NAT IP from Inside host

I stand corrected - but as far as I am aware this is not possible.

Going from the inside - to the outside, back into the outside into the DMZ. From the DMZ to the outside, back into the outside into the inside.....does this cover it?

I just cannot see how that is possible - or even why you would want to do it?

Re: Accessing Perimiter NAT IP from Inside host

However with the above, it had peaked my interest - I have just been in the lab and found a way to do it:-

static (dmz,inside) xx.xx.xx.xx ii.ii.ii.ii netmask 255.255.255.255

Where xx.xx.xx.xx is the EXTERNAL address and ii.ii.ii.ii is the address on the DMZ

HTH.

New Member

Re: Accessing Perimiter NAT IP from Inside host

Hi Andrew,

Glad that you get out of your way to test this on your lab.

One question though, isn't it the syntax for static goes this way:

Static (high_security_int,low_security_int) low_ip high_ip netmask 255.255.255.255 ???

Where INSIDE is always the highest security interface, etc. So just wondering if the command syntax is right.

Will have to test this as well.

Re: Accessing Perimiter NAT IP from Inside host

NP - it got me thinking, could not let it go, had to test it ;o)

Good question - sadly no, the PIX/ASA does not use that logic, the syntax is correct:-

static (dmz,inside) x.x.x.x y.y.y.y 255.255.255.0

x.x.x.x - external IP

y.y.y.y - dmz ip

New Member

Re: Accessing Perimiter NAT IP from Inside host

It does work! Thanks so much! Im rating your response.

Re: Accessing Perimiter NAT IP from Inside host

Excellent - no problem - thanks very much.

133
Views
0
Helpful
8
Replies