Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

access dmz from inside

hello

sorry but i have a problem

i have a pix firewall 515 with 3 interface inside dmz and outside

inside 10.34.10.0

dmz 192.168.1.0

outside 151.x.x.x

i need to reach from inside the dmz client and opposite, without nat, and the dmz to get internet with nat.

I configured

nat (dmz) 2 192.168.1.0 255.255.255.0 0 0

global (outside) 2 151.x.x.1

access-list dmz_inside_in line 1 permit ip 192.168.1.0 255.255.255.0 any

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

I don't reach the host from inside to dmz and opposite

5 REPLIES
New Member

Re: access dmz from inside

if you don't want NAT use the special 0 NAT group

nat (inside) 0 192.168.1.0 255.255.255.0

This disables the NAT process.

When going from a higher (inside) to lower (dmz) interface, you don't - by default - need to specify an ACL. Of course, your acl doesn't actually do anything unless you apply it.

HTH,

Terry

New Member

Re: access dmz from inside

thanks

but i need use nat for internet from dmz,

and don't use nat from dmz to inside.

Bronze

Re: access dmz from inside

Hi,

Do the following :

static 10.34.10.0 10.34.10.0 netmask 255.255.255.0

Static REAL-IP-Address 192.168.1.5 netmask 255.255.255.255

I hope this is helpful!

I think this document will help you.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Plz. rate if it does!

Thanks

Abd Alqader

Re: access dmz from inside

The old rule used to be "high security -> low = nat+global, low -> high = static+ACL", although it gets more confusing when you have more interfaces and don't always want to NAT.

A traffic flow is always source->destination and therefore only involves two interfaces. So think of your traffic as being flows between two interfaces. Here we have two flows: when dmz accesses internet dmz=high, internet=low; when dmz accesses inside, inside=high, dmz=low. Therefore you're needing nat+global for the dmz->internet, and static for dmz->inside.

You have the correct lines to NAT your internet access:

nat (dmz) 2 192.168.1.0 255.255.255.0 0 100

global (outside) 2 151.x.x.1

The next line allows inside IPs to be visible to dmz (you still need ACL to permit traffic):

static (inside,dmz) 10.34.10.0 10.34.10.0 netmask 255.255.255.0

New Member

Re: access dmz from inside

guru's, what if, in this exact situation, i want to NAT the source addresses of traffic coming from DMZ to inside? Is that possible?

And what actually happens when you reverse the interfaces in the static line?

Like: static (DMZ,inside) x.x.x.x x.x.x.x netmask x.x.x.x

130
Views
0
Helpful
5
Replies
CreatePlease to create content