Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

DMZ Design question


While designing a redundant PIX 515 setup for DMZ I ran into the following problems:

1. Does it make sense to use private addresses in DMZ and let the PIX do the NAT or isn't it better to use a subnet of our assigned IP /25?

Now it's configured for official IP addresses without NAT.

Problem now:

I have a network ( as the internal network and some communication require access from outside into internal and from DMZ into internal.

Can I use IP addresses of the same (DMZ) subnet to configure static NAT for internal nodes? What about rules from DMZ to internal when tey are in the same subnet?

Many thanks in advance.



Cisco Employee

Re: DMZ Design question

It really doesn't matter what IP addresses you use on each subnet.

You can of course use IP addresses in your DMZ subnet as static's on the PIX for internal IP addresses, this is how most people do it. The ules are no different, you just use that address in teh ACL/conduit within the PIX. For example:

ip address inside

ip address dmz

static (inside,dmz) netmask 0 0

access-list 100 permit ip any host

access-group 100 in interface dmz

This basically lets all IP traffic from the DMZ to the host, which maps to the internal host of You can of course be more restrictive on what protocols you allow in. Just make sure no physical host on the DMZ interface is configured with and you'll be fine.

CreatePlease to create content