Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Inside to Outside connection

We have the following zones on our firewall:

Inside

Outside

DMZ

The inside contains a wireless 'guest' network (10.7.20.x/24) if I want to connect to a device in the DMZ (10.7.30.24) USING the mapped outside address 171.145.23.32, how would I do it?

I can always connect to it using the real address, but cannot connect using the outside address, is it possible from the inside to do this?

4 REPLIES
Green

Re: Inside to Outside connection

Yes it's possible but you will lose the ability to connect to it with the real address.

static (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255

New Member

Re: Inside to Outside connection

Sorry, I posted a reply before I viewed your post - and you are dead on.

So help me figure this out. We have a "guest" network (inside address) that uses external DNS. If I use DNS Rewrite, the "guest" network can connect to the device in the DMZ, because the DNS answer is re-written with the internal address. I cannot however connect to the outside address of the device in the DMZ from the inside.

If I add the static entry static: (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255 , I can no longer connect to the inside address directly, but it does translate it and I can use the outside address.

Is there a way that would allow me to use either address (real and mapped) from the inside and connect?

New Member

Re: Inside to Outside connection

Alright I added the following entry:

static (DMZ,inside) 171.145.23.32 10.7.30.24 netmask 255.255.255.255

And now I can connect to the address from the inside. However, my inside clients can no longer connect to the DMZ device directly using it's local address. How do I get the best of both worlds?

Cisco Employee

Re: Inside to Outside connection

Use policy NAT:

access-list foo permit ip host 10.7.30.24 10.7.20.0 255.255.255.0

static (dmz,inside) 171.145.23.32 access-list foo

This way, 10.7.20.0/24 will be able to reach 171.145.23.32 but not 10.7.30.24

All other hosts on the inside will be able to reach 10.7.30.24 but not 171.145.23.32.

112
Views
0
Helpful
4
Replies