how would go about setting up access to a server on the dmz from the inside, not by using "nonat" (ie nat 0 or a static with same IP), but by accessing the server with an IP from the inside LAN ?
Thanks in advance.
Sorry, not sure i entirely understand. What is the inside IP, what is the DMZ IP and what do you want the inside IP address to be when it gets to the DMZ server ?
If there is not an ACL already on the inside interface and if the inside interface has a higher security level than the DMZ interface, then all you will need is an address translation. Either a static or a nat statement.
Thanks guys for your interest.
The answer may be simple, maybe its a bit too late for me.
I'll make it an example.
Inside is of higher security.
inside 192.168.1.0/24 pix: 192.168.1.1
dmz 192.168.2.0/24 pix: 192.168.2.1
dmz server 192.168.2.2
need inside users to connect to this server (Web!) by using a local IP, e.g. 192.168.1.2, not the 192.168.2.2 IP.
static (outside,inside) 192.168.1.2 192.168.2.2 netmask 255.255.255.255
You need to make sure that 192.168.1.2 is not allocated to any device on the internal LAN.
in other words you do
just as if you allowing access to an internal server from the outside where you would have done
static (inside,outside) etc
Is that so ?
I realise Jon meant to use dmz instead of outside.
So we agree that no matter whether the security level is from higher to lower, or lower to higher we use the same syntax for the static.
Any objections, pls advise.
Well yes and no as you'll notice that the interfaces in the static statement are reversed ie. the most common syntax for a static would be
static (inside,dmz) or
whereas what you are doing here is reversing the interface order ie.
static (dmz,inside) or