Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing with WAN, LAN, and DMZ


I am trying to setup my Cisco 1721 to route traffic from a WAN to two Ethernet interfaces where one is a DMZ and the other is a trusted LAN with NAT. I am having trouble getting the correct configuration built that allows both the DMZ and the LAN to access the internet(HTTP).


I have a Cisco 1721 with an enterprise 12.4 IOS. In the router is one FastEthernet and two Ethernet ports.


Eth0 - DMZ


Fa0 - LAN

My current configuration:

The configuration is stripped down. At the moment, I'm trying to get internet(HTTP) access to the DMZ. With this configuration, the LAN has HTTP access but the DMZ doesn't. However, the DMZ can ping out and you can see it in the NAT translation table. You can find the show command after the configuration.

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW ntp

no ip ips deny-action ips-interface



interface Ethernet0

description DMZ

ip address

ip access-group 103 in

ip nat inside

ip inspect SDM_LOW out

ip virtual-reassembly



interface Ethernet1

description WAN$FW_OUTSIDE$

ip address dhcp

ip access-group 101 in

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly



interface FastEthernet0

description Trusted

ip address

ip access-group 100 in

ip nat inside

ip inspect SDM_LOW out

ip virtual-reassembly

speed auto


ip classless


ip nat inside source list 1 interface Ethernet1 overload


access-list 1 remark NAT ACL

access-list 1 permit

access-list 1 permit

access-list 100 permit ip any any

access-list 101 permit ip any any

access-list 103 permit ip any any

router(config-if)#do sh ip nat tra

Pro Inside global Inside local Outside local Outside global

icmp 208.xx.xx.xx:512

icmp 208.xx.xx.xx:1024

Anyone have a suggestion on why I cannot access the web(HTTP) on the DMZ?


Re: Routing with WAN, LAN, and DMZ

It does not look like you have a nat statement allowing access from the Internet to port 80 getting translated to a DMZ host.

You do allow DMZ to the Internet and you do allow Trusted to the Internet and those both do so via port address translation "PAT".

You need a static DMZ to Internet port 80 mapping.

Here is a Cisco document demonstrating it.

You only have to modify the

"ip nat dmz source static tcp 80 Ethernet1 80"

line to change the addresses to what is appropriate for your network.

New Member

Re: Routing with WAN, LAN, and DMZ


Static NAT port mapping is my next step. My current step is figuring out why hosts in the trusted LAN have web access to the internet while ones in the the DMZ don't.

As in, I'm on a workstation under each Ethernet interface trying to go to

Re: Routing with WAN, LAN, and DMZ

If you put an Internet IP [ == ] into your browser does that work ? ( ruling out dns related issue first which could be routing ).

And also perhaps do a traceroute 129.... to see what happens then.

Try to go to Internet and do a "show ip nat trans ..." and you'll see the translations.

Heres a Cisco help page ..