Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ to inside - want servers to be see with original ips.

I have a 10.x.x.x network on the inside interface (100). I have semi-rogue network being hooked up to ethernet6 (90) which is going to be 10.y.y.y. I would like for the 10.y.y.y network be able to see all the servers on the inside with the original 10.x.x.x addresses. Is this possible? if so, how?

2 REPLIES
Silver

Re: DMZ to inside - want servers to be see with original ips.

yup.

you probably have a nat 1 statements for all traffic from that interface. what you want to add is a nat 0 access-list statement that selective excludes traffic from nat. If 1.2.3.0/24 was the netblock used on e6, then this is basically what you would want to do:

access-list 106 permit ip 10.x.x.x 255.0.0.0 1.2.3.0 255.255.255.0

nat (inside) 0 access-list 106

this would stop 10.0.0.0/8 from natting traffic only when the destination is 1.2.3.0/24

New Member

Re: DMZ to inside - want servers to be see with original ips.

Yes,

Just to create a static statement using the same IP for low sec & high sec interface:

static (inside,dmz) 10.x.x.x 10.x.x.x netmask 255.0.0.0

access-list ondmz ip 10.y.y.y 255.0.0.0 10.x.x.x 255.0.0.0

access-group ondmz interface dmz

I write it roughly, check the syntax to be sure

Ben

106
Views
0
Helpful
2
Replies