Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

inside and DMZ

Hi, all

I have some question regarding to the communication between inside and DMZ. Cisco configure example the link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

according to this document.

DMZ IP: 192.168.1.0/24

inside IP: 172.20.1.1/24

the example gives configure communication from DMZ to inside by using static nat:

static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255

here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?

Not in this example but another: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

when configuring communication from inside to DMZ by using real ip address:

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0.

what is reason using real ip? just easy? Does this give less security than by using PAT?

Thanks

Shawn

3 REPLIES
Silver

Re: inside and DMZ

I think there is no mistake in this document. Might be some users to access it through the real address and some through the natted one. So they are using real ip.

New Member

Re: inside and DMZ

My questiion has two parts. The first part is that in first example documents. the DMZ ip is:192.168.1.0/24, when they use nat they use static (inside,DMZ) 192.168.2.20 172.20.1.5 netmask 255.255.255.255. the ip is 192.168.2.0. it is 192.168.2.20 not 192.168.1.20 different sub net.

the seocnd question I have is: is that best practice to use real ip when you want to configure communcation from inside to DMZ? is using nat more scurity that real ip?

Thanks

Shawn

Re: inside and DMZ

Hi Shawn,

"here the ip given is 192.168.2.20. why is 192.168.2.20. not 192.168.1.20? Is that misatke?"

most likely it is a typo mistake. Having said that as long as routing is configured correctly 192.168.2.20 could also be used.

" what is reason using real ip? just easy? Does this give less security than by using PAT? "

The command (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0. is basically providing space for 254 static nats in one single instruction which otherwise would have to be entered one by one. In some scenarios you require to access the REAL IP address from the DMZ segment towards the internal and so in that situation you would use this type of instruction. Of course you can control that access by applying appropriate ACL entries to the dmz interface.

I hope it helps .. please rate helpful posts !!!

106
Views
0
Helpful
3
Replies