Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configuring PIX DMZ


Currently we have a PIX 515 6.2(2) that has the three interfaces, inside, outside, dmz1. Private addresses are used on both the inside and dmz1 networks while the outside has public addresses. Static nat is used to make our server on the inside/dmz1 visable on the outside.

global (outside) 1 1xx.x.x.69-1xx.x.x.71

global (outside) 1 1xx.x.x.72

nat (inside) 0 access-list vpntunnel_nonat

nat (inside) 1 0 0

nat (dmz) 0 access-list dmz1_nonat

nat (dmz) 1 0 0

We have recently purchased a PIX 515E 6.2(2) that has 6 interfaces, though we're only using the four; we needed a second dmz. The new dmz runs at a higher security level. The dmz has a block of public addresses, what method would you use to make them accessible from the outside? Presumably you'd disable nat. We've got the one global pool that is used to access the outside from the inside network, is it possible to use them when accessing dmz2 from the inside. And for accessing dmz1 from dmz2, is it simply a case of adding more static nat's???

One last question, what is the prefered method for accessing the dmz1 from the inside when resolves to a public IP address?

Any advice much appreciated.



  • Other Security Subjects
New Member

Re: Configuring PIX DMZ

You would just do a net static for your new dmz likeso:

static (dmz2,outside) Public-Block-Here.0 Public-Block-Here.0 netmask 0 0 (put the appropriate mask of course for your block)

and you can put those public IPs right on your servers


If you still want to use privates on the new dmz servers (which I see no real security advantage to doing this, if someone does please tell me) you can do likeso:

static (dmz2,outside) Public-Block-Here.0 Private-Block-Here.0 netmask 0 0

This will take every private address and map it to an equivalent public address. (ex. -> 2xx.x.x.1, -> 2xx.x.x.52) Just be sure the masks match.

Then you would just make the appropriate ACLs or conduit's to permit access from the outside to the new DMZ and if necessary from old DMZ to the new one.

You don't need to nat to public addresses when accessing any of your dmz if you don't want to. In my case, internal host access the dmz via their private IP because if they were to be NATed to go to the DMZ, they grab another address from our NAT pool so you have 1 host using 1 IP for the Internet and a different one for the DMZ. I try to keep 1-to-1 NAT but then I do have a PAT address at the end for when all NAT addresses are exhausted. Plus we use VLANs internal ly and it makes it easier for reading logs because we know what VLANs traffic came from. That's done simply by a:

static (inside,dmz) netmask 0 0

To get from dmz1 to dmz2 (since dmz2 has higher security, you need a static nat and conduit/acl)

For your last question, I don't have something like that set up, but since your NATing to your public pool to get to your dmz1 anyway, then the fact that it's a public IP shouldn't matter. You should go out as one of your publics to your staticly mapped dmz1addresses and it should work fine. I think.... :)

- John

This widget could not be displayed.