Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Moving app servers from Inside to DMZ

I figured it out but if you have a better solution, by all mean please do.

The ISP will be changed also so the DNS record will have to change. I will configure the DMZ with the new IP range from the new ISP. Change the server IP address and the DNS record and move it to the DMZ.

I am working on a design replacing a pix firewall with FW module on a 6509. The current firewall is configured with inside and outside interfaces only. So, the NATing and the Static is between these 2 interfaces.

In my new design I will have a DMZ so the app servers will have to move to the DMZ and will require IP re-addressing.

What I am trying to do is to move the servers overtime after replacing the PIX. I am not sure if I can configure the DMZ with the new servers IP addresses (NAT, Static and ACL), configure the inside/outside on the module FW in the 6509 similar to the current pix with the current NAT, Static and ACL then as we move servers to the new DMZ the IP address will be changed.

Is it possible to have a static (DMZ, outside) public IP address to DMZ IP address and a static (inside, outside) same public IP address to inside address. Will the firewall pass the traffic to the app server on the inside prior to moving it and then to the DMZ once the server is moved and re-IPed?


Re: Moving app servers from Inside to DMZ

i havnt tried it and even thought about a case like this

so lets think about it

let say ur pub IP is and u made static to this ip to both dmz and inside

so do you think it is reasonable to make config like this

and how the firewall know to which address should forward the traffic

so u must avoid this idea

and make eather portforwarding

lets say

u have ip address on insed with ip

and server on dmz

u want http traffic to go to the inside

and smtp traffic to go to the dmz using one pub ip address

static (inside, outside) tcp 80 80 netmask 0 0

static (dmz, outside) tcp 25 25 netmask 0 0

in the case gonna be reasonable and works the same with PIX/ASA and FWSM modul

good luck

Rate if helpful

New Member

Re: Moving app servers from Inside to DMZ

I cureently don't have a dmz. What I figured doing is:

Let's say the current server, let's call it, private address is and the public address is so my current statement is:

static (inside, outside) netmask

I will create a DMZ and use for the dmz network. Let's say the the new public addresses are I can keep the current (inside, outside) statement. Create a DMZ statement:

static (DMZ, Outside) netmask

Outside users qoing to at this point will still go to

When it is time to move the server, change it's IP address to and change the DNS record to The user going to will now go to and the initial static statement for (inside, Outside) will do no harm. Correct?

Re: Moving app servers from Inside to DMZ

in this case u r right..

good luck

rate if helpful