Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMZ Design question

Hi

While designing a redundant PIX 515 setup for DMZ I ran into the following problems:

1. Does it make sense to use private addresses in DMZ and let the PIX do the NAT or isn't it better to use a subnet of our assigned IP /25?

Now it's configured for official IP addresses without NAT.

Problem now:

I have a network (10.1.1.0/24) as the internal network and some communication require access from outside into internal and from DMZ into internal.

Can I use IP addresses of the same (DMZ) subnet to configure static NAT for internal nodes? What about rules from DMZ to internal when tey are in the same subnet?

Many thanks in advance.

Rgds.

Andre

1 REPLY
Cisco Employee

Re: DMZ Design question

It really doesn't matter what IP addresses you use on each subnet.

You can of course use IP addresses in your DMZ subnet as static's on the PIX for internal IP addresses, this is how most people do it. The ules are no different, you just use that address in teh ACL/conduit within the PIX. For example:

ip address inside 10.1.1.1 255.255.255.0

ip address dmz 200.200.200.1 255.255.255.0

static (inside,dmz) 200.200.200.50 10.1.1.50 netmask 255.255.255.255 0 0

access-list 100 permit ip any host 200.200.200.50

access-group 100 in interface dmz

This basically lets all IP traffic from the DMZ to the 200.200.200.50 host, which maps to the internal host of 10.1.1.50. You can of course be more restrictive on what protocols you allow in. Just make sure no physical host on the DMZ interface is configured with 200.200.200.50 and you'll be fine.

87
Views
0
Helpful
1
Replies
CreatePlease to create content