Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing DMZ server access to the Internet

We have a PIX 515E with 3 interfaces. The inside & dmz interfaces use "private" IP addresses, the outside interface uses a "public" ip address.

We have a web server on the DMZ that needs access to the internet through the "outside" interface of the firewall. We currently have "static (dmz, outside)" port translations, plus appropriate inbound access list (on the "outside" interface) which NAT's from "public" to the "private" IP of the web server, and allows access according to the inbound access-list.

Do I use "nat (dmz)" and "global (outside)" commands to enable the web server to access the internet ?? How does this NAT translation affect the current "static (dmz,outside)" commands and inbound access-list ?? Does the inbound access-list need allow return traffic to the external (NAT'd) address of the web-server ??

Any help or explanation would be much appreciated.


Re: Allowing DMZ server access to the Internet

nat (dmz) 1 0 0

WIll allow all DMZ boxen to initiate connections to the outside world.

global ( dmz) 1 netmask

Will allow the inside interface and machines on it to access on the DMZ interface all machines with IPs from thru ....254

So, you most likely need both. This nat translation won't effect you static and inbound ACL - those commands are to allow communication from the outside in, and these two are necessary for DMZ-out, and inside - DMZ respectively.

No, your inbound ACL on the outside int merely needs to allow for inbound http traffic to the statically mapped IP address. The PIX is stateful, and everything will be taken care of. The only way you could get in trouble is by creating an accesslist the is bound Inbound on the dmz interface, that could limit traffic leaving the web server and going into the pix on the DMZ int.