Cisco Support Community
Community Member

Managing DMZ servers

Hello All,

Good Day,

I have 2 Cisco PIX 525 configured as Active/Standby failover mechanism. There are a DMZ interfaces on both failover pair configured for protecting web and mail servers. The inside interfaces connected to a backbone/core switch. Many users hosts are in different VLANS in this core switch.

My problem is that i need to allow a specific host in a specific VLAN to manage the DMZ servers using remote desktop,ping,telnet and etc....

Of course, my first step was to create a static NAT for this specific host to gain access to the DMZ servers subnet. Then, i created access-list to allow the previous protocols that i mentioned. However,the host still not accessing the DMZ subnet.

When i run a 'tracert' command from this windows host to the web server, i noticed the first hop was the interface VLAN and then the packet dies. The default gateway for all the VLANS is the primary PIX inside interface and they all access the internet properly.

Are there any other things that i must use other than NAT and access-list? or is there something that i must create in the core switch?

Please advice...




Re: Managing DMZ servers


You just need a static translation for the inside host like the one below. You don't need to configure an ACL for the inside host to access devices on DMZ as the inside interface has higher security than DMZ. If you already have an ACL applied on the inside interface then make sure the traffic from the inside host to DMZ isn't blocked.

ip address inside

static (inside, dmz) netmask

Hope this helps!


Community Member

Re: Managing DMZ servers

Also you may want to make sure that you configure necessary access on the DMZ interface ACLs if any.

CreatePlease to create content