Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access to DMZ on PIX-515

Let me try to explain my problem in a logical manner. I have a PIX-515R, I added a single 10/100 interface as my 'DMZ1' port. My 'inside' interface is running on, my 'DMZ1' interface is running on I have configured my active directory DNS servers to also be real DNS servers, they are running on the 'inside' network. I wanted my users to be able to access the web server by it's outside name so I moved it to the DMZ interface. This works by using the alias command along with the 'sysopt nodnsalias outbound' command. However from 'Inside' I am unable to directly access anything on the 'DMZ1' network. For example I am unable to access my web server by it's 192.168.1.X address from 'inside.' I can't even ping it. I do get full access by using it's public IP address.

Additionally my web server on 'DMZ1' can't access anything statically mapped to 'Inside' by public addresses or 'Inside' addresses even though they are allowed by the access list. So DNS resolution from my Web server fails because it can't access my DNS servers.

Can anybody help?

  • Other Security Subjects
New Member

Re: Access to DMZ on PIX-515

Your problem sounds like a nat problem. Because you are using private addresses you have nat (inside) 1 and you would map to a global public ip. What you should do when talking from private to private addresses is to use the

"nat (inside) 0 access-list NONAT"

The access-list will be as follows

"access-list NONAT permit ip"

New Member

Re: Access to DMZ on PIX-515

Thanks. I spent a couple hours with it last night and figured it all out. It was nat, plus you need static mappings for everything you want to access in a higher security level.

Thank you for your help.