Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Backing up machines on DMZ

This is a 3 interface PIX 520 running 6.1(1).

The Backup server is on the 'inside'LAN (172.16.x.x) and the machines to be backed up are on the 'dmz' network (192.168.x.x). Problem is, the backup software does not tolerate any changing of the source of destination address (NAT). From a security standpoint, what would be the least compromising way to resolve this issue?

Many thanks for your time,


New Member

Re: Backing up machines on DMZ

have you tried the static (inside,dmz) 192.168.x.x 172.16.x.x

(if you use NAT make sure the addresses do not overlap with the static ones

and open the ports required for the backup software.)

If it does not work, switch to a new backup software. Which one are you using?

New Member

Re: Backing up machines on DMZ

You don't have to NAT between DMZ and internal. Just route the packets and open the appropriate ports with an access-list. Your access-list can contain the IP addresse of both servers (the backup and the service server).

Cisco Employee

Re: Backing up machines on DMZ

I've a similar , I think , problem.

Three interfaces

outside 213.x.x.x

inside 192.168.1.x

dmz 172.16.1.x

One host in the DMZ with several local IP address ( ) which hosts 10 web servers.

These WWW are static natted to outside IPs 213.x.x.1-10

One host in the inside interface with some other web server ( don't ask me why .. ) natted to the outside with different IPs.

Problem is .

From inside I cannect connect to web server's outside IP

New Member

Re: Backing up machines on DMZ

The TAC told me to usethe static command with the inside address for both the inside and dmz interfaces:

static (inside,dmz) netmask

Then I opened the ports referencing the same addr and it worked. This creates a bit of the security risk but in this instance, it may be the least painful solution.

Thx for your responses.


CreatePlease login to create content