Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

dmz to inside

Part of my config is as shown below: What I'm trying to do is establish connection from my dmz to the inside network. The plan is to put a dns server on the dmz so the internal one will use that for the outside dns.

Currently I have a ftp server on the dmz zone, clients are able to access it from outside and access is also ok from the inside as well.

However I was trying to open a telnet session in order to test to make sure that

The machine that the dns will be installed on can talk to the internal server. ---> server on the dmz zone ----> dns server on the inside

The command I used was similar to the ftp server but it didn't work, can you help. Thanks

E.g.. access-list 101 permit tcp host eq telnet any

access-list 101 permit tcp any any eq domain

access-list 101 permit tcp host eq ftp any

access-list 101 permit tcp host eq ftp-data any

access-list 101 permit tcp host eq domain any

pager lines 24

global (outside) 1 netmask

global (dmz) 1 netmask

nat (inside) 0 access-list 100

nat (inside) 1 0 0

nat (dmz) 1 0 0

static (inside,outside) netmask 0 0 (dns server inside)

static (dmz,outside) netmask 0 0

static (inside,dmz) netmask 0 0

access-group 101 in interface outside


Re: dmz to inside

Hi Oliver -

Here are documents that will help you on your problem, the 1st document is from cisco and the other two is from my mentor and a expert that even cisco look up too and I've used his papers on many problems -



Hope this helps --

New Member

Re: dmz to inside


About your connection from DMZ to Inside, then from low security to high security interface, you need the triple commands: static/access-list/access-group.

In your case, you already have the static part:

static (inside,dmz) netmask 0 0, but it's not OK. The low security(DMZ) IP address represents an address as seen by the DMZ's DNS server, it's not his own address. Then, you should replace by or any other IP addresses within the same subnet as the DMZ's DNS server. Then, your static becomes:

-static (inside,dmz) netmask 0 0

Then you must add the access-list/access-group, as example:

access-list 102 permit udp host host eq domain

access-group 102 in interface DMZ