Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access from DMZ to WAN


We have the interfaces called DMZ (low security interface) and WAN (high security Interface) in our firewall. When i configured the following line to enable access from DMZ to WAN, its not working. Can somebody help me.

access-list dmz permit ip host host

static (wan,dmz) netmask

DMZ Source should get NAT, to gain access at WAN network. The IP addresses are changed, as i don't want to give the original IPs.


Re: Access from DMZ to WAN

I believe that your security setting are inverted; the dmz should have a higher weight than the wan. The higher weight means more trusted. Also, is there a router between the pix and the wan cloud, or does the pix connect direct to your wan provider?

Look at the static statement as (higher wt, lowerwt) lower-ip higher-ip (where wt means weight). Try reworking the static to:

static (dmz, wan) netmask

Make sure you do a clear xlate after the change. Your traffic from the dmz host should cross the wan link using ip address of with the change.

If for some reason, you want to trust the wan link more than the dmz link, you may be able to accomplish what you want, but I would need to know what version of the pix, and what model to help determine that.

Regards, Ed Hirsel

CreatePlease to create content