Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
249
Views
0
Helpful
2
Replies

DMZ to inside - want servers to be see with original ips.

briapolo
Level 1
Level 1

‎06-23-2003 07:17 AM - edited ‎03-09-2019 03:46 AM

I have a 10.x.x.x network on the inside interface (100). I have semi-rogue network being hooked up to ethernet6 (90) which is going to be 10.y.y.y. I would like for the 10.y.y.y network be able to see all the servers on the inside with the original 10.x.x.x addresses. Is this possible? if so, how?

Labels:
0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎06-23-2003 11:40 AM

yup.

you probably have a nat 1 statements for all traffic from that interface. what you want to add is a nat 0 access-list statement that selective excludes traffic from nat. If 1.2.3.0/24 was the netblock used on e6, then this is basically what you would want to do:

access-list 106 permit ip 10.x.x.x 255.0.0.0 1.2.3.0 255.255.255.0

nat (inside) 0 access-list 106

this would stop 10.0.0.0/8 from natting traffic only when the destination is 1.2.3.0/24

0 Helpful

bdube
Level 2
Level 2

‎06-23-2003 02:53 PM

Yes,

Just to create a static statement using the same IP for low sec & high sec interface:

static (inside,dmz) 10.x.x.x 10.x.x.x netmask 255.0.0.0

access-list ondmz ip 10.y.y.y 255.0.0.0 10.x.x.x 255.0.0.0

access-group ondmz interface dmz

I write it roughly, check the syntax to be sure

Ben

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents