Re: Accessing DMZ sever by public and private address

m.reay · ‎11-10-2006

I have a server sat on a DMZ with a real address of 192.168.100.1 and a public address of 123.1.1.1.

I wish to access it by its public address from the outside and by EITHER its public or private address from the inside.

I have a static nat set up as follows:

static (dmz,outside) 123.1.1.1 192.168.100.1 netmask 255.255.255.255

This gives me access from the outside.

I have also set up a static as follows:

static (dmz,inside)192.168.100.1 123.1.1.1 netmask 255.255.255.255

I can access the device from the inside on the public address, but not on the private address.

Has anyone implemented this scenario successfully.

Thanks.

Mick.

a.kiprawih · ‎11-11-2006

Allowing access from outside to DMZ via a statically nat public ip is correct. But to allow inside host talking to DMZ via public IP is not possible.

This is because the public IP is a logical mapping by PIX for external/internet users talking to the DMZ. Logically, they are on the same outside/public segment.

For inside to DMZ access, you have to use DMZ's IP address to access it, which is 192.168.100.1.

The most you can do is to use nat/dmz pair:

nat (inside) 1 192.168.1.0 255.255.255.0

global (dmz) 1 192.168.100.10

This allows 192.168.1.x hosts to talk to the 192.168.100.1 server.

Or simply use static mapping between inside & dmz segment (and use ACL if you need to restrict more, or add icmp for testing):

static (inside,dmz)192.168.1.0 192.168.1.0 netmask 255.255.255.0

HTH

AK

m.reay · ‎11-13-2006

Thanks for the reply but I have already managed to get internal users communicating from the Inside by using the Public address.

This was achieved using the configuration described in my original posting.

This is working fine - the issue I have is trying to get users to be able to access the device using its Private address as well as its Public address.

I don't even know if this is possible.