Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Extending DMZ inside the network???

Hello. My question is: how to connect servers located inside the network to DMZ (beside the separate physical link)?

We encountered the problem when it is physically not possible to move DMZ servers close to PIX (different locations/ buildings ).

As crazy as it sounds, but how can I securely!!! extend DMZ into inside network?

Thanks in advance

New Member

Re: Extending DMZ inside the network???

It sounds like a common problem, with a distributed network at least. If there is no way to prod the clients into central housing, you need to extend your DMZ. It depends on HOW secure you want it, really. IF you have port security, and your LAN switches have tight security, and are careful in your network architecture, you CAN extend the DMZ with VLANs, and trunking. I'd consider that your easiest option, tho if the data is of VERY sensitive nature, you'd need to get each remote location it's own switch, and basically build an entire DMZ network alongside your current one, which can get rather pricey AND complex.



New Member

Re: Extending DMZ inside the network???

You can create static NAT [assuming you are doing NAT] entries with access-list entries to allow only certain ports through. Below is an example:

Access-list entry:

access-list [LIST-NAME] permit [TCP or UDP] any host [IP ADDRESS] eq [PORT]

NAT Entry:

static (inside,outside) [GLOBAL IP] [PRIVATE IP] netmask 0 0

The refernce to inside and outside are the port names in your PIX, this can be changed to match your configuration.


New Member

Re: Extending DMZ inside the network???

thats correct, but my solution not only seperates the DMZ'd machine from the external network, but also the internal network as well, by not allowing that DMZ'd device to participate in the broadcast domain, or subnet, of the internal devices. This provides the internal network a level of protection from the DMZ, which straight NATing doesnt do. After all, thats WHY we have DMZs, isnt it?


New Member

Re: Extending DMZ inside the network???


your example is very useful; however, I have a question for you. Since I use PAT. I have no problem to allow outside world accessing server into my dmz.

But allowing our inside private network seems not working correctly.

This is my config.

static (dmz, outside) for outside.

static (inside, dmz) for inside.

global (dmz) 1 interface.

I have accesslist

Is my static for inside correct ?

Thank u.

New Member

Re: Extending DMZ inside the network???

for PAT, I have the following lines in one of my PIXes:

global (GLOBAL) 1

global (DMZ) 1

nat (PRIVATE) 1 0 0

Just curious, what version are you running?

New Member

Re: Extending DMZ inside the network???

Hi Robert,

I got global (dmz) 1 and nat(private) 1

I don't have global (global). What do you need that statment for ...?

Could please you explain ... Thank u.

Our Version is 6.0(1). I believe It has a bug, from time to tim, I need to clear xlate. So what do you use ?

CreatePlease to create content