Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

516e DMZ Setup

Ok am in the process of setting up my first 515e and struggling a bit. I have set my outside route of x.x.x.x.x (being my router ethernet address) 1

Now the way I under stand this is that anything that goes out that is not needed to route to my dmz will route right ot my router. Is this correct?

Now on my DMZ I want to put my webserver. I assume that I need to setup a static route from my inside address to this device and from the outside into the DMZ correct?

so if that is the case do I put static route (dmz,outside) x.x.x.89 1xx.1xx.1xx.8 netmask (where the .89 is my outside router and the 1xx.1xx.1xx.8 is my web server address with the same subnet as my DMZ) I assume this has to be on the same subnet but the more I look at it maybe it doesn't. My mail server happens to be in the same subnet as my DMZ. Can I have it in a different subnet and create a conduit?

Basically I'm lost on how to get the outside and inside to talk to the dmz. Typically is the DMZ on a /30 to a switch and the devices connect to that have conduits from inside addresses? Any advice would be appreciated and if it sounds like I have got a clue then you are correct. :) Thanks again.

New Member

Re: 516e DMZ Setup

this is how it works,

outside security0

dmz1 security50

inside security100

(security level determine the usage of static & nat command)

let say your:

-outside address is

-staticcally allocated address for your web server in the DMZ1 is

- your Web server in the DMZ is


to access the Web server form the inside (the security level is from lower to higher) you will need the static command and access-list on the outside interface

static (dmz1,outside) netmask

access-list outside permit tcp any host eq www

access-group outside in interface outside

all your user behind your router should hit the Web server on


to access the web server from the inside (sec level is higher to lower) you will only need the "nat" command to allow the inside to access the dmz1. The access-list on the inside interface is optional but I prefer to have one.

nat (0) 0 0 0


nat (0) access-list name-of-the-access-list

I usually don't translate the inside when going to dmz interfaces to avoid complexity.

users in the inside should hit the web server on its actual ip address


on your router (the defualt g/way of the outside interface) you do not need to have static route for the dmz1 network because you r translating the IP address to the network that is part of the router's interface. You will only need the static route if you DO NOT translate the dmz1 ip address.

With traffic from inside to outside, you can still have the option not to NAt the Ip address when going out and you can use the same nat (0) statement otherwise you will need to create new static command if 1:1 translation

static (inside,outside) netmask

you might get confuse because the static should be used if the traffic is from lower to higher. the static command is the only way you do 1:1 nating but this is still safe because the access is still control by the outside access-list

I hope this will help you.

cheers mate

New Member

Re: 516e DMZ Setup

please ignore the statically allocated address, it should be as per static statement