Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ question...

ok, can't seem to get my head around this problem and any help would be most appreciated....

Trying to setup a dmz, our ISP has given us a range of IP addresses a.a.a.a and b.b.b.b (non-sequential)

Router = a.a.a.97

PIX outside eth0 = a.a.a.98

PIX dmz eth1 = b.b.b.1

PIX inside eth2 =

The ISP have routed the b.b.b.b IP range though a.a.a.98

We use NAT and PAT for the internal users and ACL for our www and smtp, this all works on the internal eth2 without problems.

What I can't seem to get running is the set of dmz IP addresses.

I can NAT the dmz IP addresses, but I can't seem to create a static route through the PIX for them.

Was thinking this is a routing problem, any suggestions.

The routing is this:

xxxx.pix# sh rout

outside a.a.a.97 1 OTHER static

outside a.a.a.96 netmask a.a.a.98 1 CONNECT static

inside 1 CONNECT static

dmz b.b.b.0 netmask b.b.b.1 1 CONNECT static

Not to sure what the 2nd entry is for???

Or maybe I'm just barking up the wrong tree, any suggestions, comments or pointers.



New Member

Re: DMZ question...

From what you are saying, it looks like you have been given the a.a.a.96/30 network for your outside interface and have been assigned a seperate range of "b.b.b.b" for your NAT requirements?

Rather than using your "b.b.b.b" public IP range on the dmz, you should be configuring your DMZ on a private address range, say and statically mapping those addresses to outside addresses, i.e.

static(dmz,outside) b.b.b.x 192.168.200.y netmask

This should present your "b.b.b.x" address on the outside interface so you can allow, for example, smtp to this "b.b.b.x" address in the access-list you have applied inbound on your outside interface i.e.

access-list acl_out permit tcp any host b.b.b.x eq smtp

access-group acl_out in interface outside

outside a.a.a.96 netmask a.a.a.98 1 CONNECT static

This is simply refering to the fact that the firewall knows about the connected network on the outside interface.

Hope that helps


New Member

Re: DMZ question...

Ah got you, I can see where your coming from, but no was assigned the a.a.a.a range 1st, then a some months later told the ISP I wanted to create a dmz and they gave me b.b.b.b range routed through a.a.a.98.

So rather then creating another Private range for the DMZ and then mapping them to the Public b.b.b.b range, how would I go about just using the Public b.b.b.b range in the dmz?

Which comes back to the pervious post, do you think it could be a routing problem?

Kev, thanks for the answer re: outside a.a.a.96 netmask a.a.a.98 1 CONNECT static.



New Member

Re: DMZ question...

Ah I see what your driving at, the one where you need to statically map the dmz address to itself, so to speak. There's a good example of that at

Although they statically map the entire dmz subnet, you should be able to adapt it to however your particular setup requires. If it looks something like that - with the nat 0, statics and acls permitting what you want to permit, you should be ok.

As for the routing side of things, you mention that the ISP routes that second subnet to your pix's outside IP address? If your config is sound you may want to ask your ISP if they can just route that second subnet onto the wire instead, and let the pix just listen out for it, rather than try to get your pix to route it. Might be worth a try as I have seen it working this way.



New Member

Re: DMZ question...

Thanks for the help/advice Kev, I've got it working *cheer*

Yes the ISP does route the 2nd subnet to the pix's outside int. so, I'll give your idea a go when I've got everything sorted.

Again thanks.


CreatePlease login to create content