Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Access from lower to higher security interface (PIX 520 Version 6)

I'm trying to permit traffic from a lower security interface (i.e. DMZ) to a higher security interface (i.e. Inside). I want Servers on the DMZ to connect to Servers on the inside network using the inside Servers IP address, not a NAT'd one.I can do this by creating a static rule, mapping <inside Server IP address> to <inside Server IP address>, and creating associated access-lists. However I do not want to have to create a static for every Server I'm likely to want to access on the inside network.I need to find the answers to the following;Qu.1: It's been suggested to me to use a NAT 0. Does this only apply to traffic going from a higher to lower security interface, not the other way round ?Qu.2: Is the only way to go from a lower security interface to a higher one is via the static command ?

Community Member

Re: Access from lower to higher security interface (PIX 520 Vers

I don't think that nat 0 is apropriate here, but you can use a subnet mask when setting up your static. This should simplify your configuration somewhat. Similarly, your access-lists can be setup to use a subnet mask (instead of individual hosts).

I think this is the way to do it -- some please correct me if I'm wrong!

CreatePlease to create content