Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

access dmz from inside


sorry but i have a problem

i have a pix firewall 515 with 3 interface inside dmz and outside



outside 151.x.x.x

i need to reach from inside the dmz client and opposite, without nat, and the dmz to get internet with nat.

I configured

nat (dmz) 2 0 0

global (outside) 2 151.x.x.1

access-list dmz_inside_in line 1 permit ip any

static (inside,dmz) netmask

I don't reach the host from inside to dmz and opposite

New Member

Re: access dmz from inside

if you don't want NAT use the special 0 NAT group

nat (inside) 0

This disables the NAT process.

When going from a higher (inside) to lower (dmz) interface, you don't - by default - need to specify an ACL. Of course, your acl doesn't actually do anything unless you apply it.



New Member

Re: access dmz from inside


but i need use nat for internet from dmz,

and don't use nat from dmz to inside.


Re: access dmz from inside


Do the following :

static netmask

Static REAL-IP-Address netmask

I hope this is helpful!

I think this document will help you.

Plz. rate if it does!


Abd Alqader

Re: access dmz from inside

The old rule used to be "high security -> low = nat+global, low -> high = static+ACL", although it gets more confusing when you have more interfaces and don't always want to NAT.

A traffic flow is always source->destination and therefore only involves two interfaces. So think of your traffic as being flows between two interfaces. Here we have two flows: when dmz accesses internet dmz=high, internet=low; when dmz accesses inside, inside=high, dmz=low. Therefore you're needing nat+global for the dmz->internet, and static for dmz->inside.

You have the correct lines to NAT your internet access:

nat (dmz) 2 0 100

global (outside) 2 151.x.x.1

The next line allows inside IPs to be visible to dmz (you still need ACL to permit traffic):

static (inside,dmz) netmask

New Member

Re: access dmz from inside

guru's, what if, in this exact situation, i want to NAT the source addresses of traffic coming from DMZ to inside? Is that possible?

And what actually happens when you reverse the interfaces in the static line?

Like: static (DMZ,inside) x.x.x.x x.x.x.x netmask x.x.x.x

CreatePlease to create content