Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Disable IP address translation between the DMZ and Inside network?

Assume a network topology is like this:

A PIX with 3 interfaces:

inside interface (private static IP of 10.10.10.1)

outside interface (public static IP of 69.110.38.35)

DMZ interface (private static IP of 30.30.30.1)

The internal clients (private static IP of 10.10.10.3 - 10.10.10.30) is located in the internal LAN

It is said: "Usually you disable Network address translation between the DMZ and Inside network".

1) Why do I need to disable the IP address translation between the DMZ and Inside network?

2) What is the CML statement to achieve so (example)?

Thanks to help.

Scott

  • Other Security Subjects
1 REPLY
Gold

Re: Disable IP address translation between the DMZ and Inside ne

1. with v6.x, nat/global or static is a must do. however, since dmz and inside are both private, so public ip is not required at all between the two. further, due to the fact that public ip cost money whereas private is free. anyhow, you can still configure nat/global as normal, the no-nat is not necessary.

2.

static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

static (dmz,inside) 30.30.30.0 30.30.30.0 netmask 255.255.255.0

for traffic originated from dmz and destined for inside, an inbound acl is required. (since the traffic is from lower security level to higher security level)

264
Views
0
Helpful
1
Replies
This widget could not be displayed.