Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX-Config

Hi,

I have 3 interfaces, outside, inside and DMZ. The DMZ servers are NAT'd to Public IP. I am allowing PUblic to access the DMZ servers via Public IP.

eg:

static (dmz, outside) 161.10.10.10 172.16.2.10 netmask 255.255.255.255

staic (dmz, outside) 161.10.10.11 172.16.2.11 netmask 255.255.255.255

this is from high security to low. What about users from the inside accessing to the DMZ server using public IP? Is the following statement correct?

static (dmz, inside) 161.10.10.10 172.16.2.10 netmask 255.255.255.255

static (dmz, inside) 161.10.10.11 172.16.2.11 netmask 255.255.255.255

thanks!

3 REPLIES
Cisco Employee

Re: PIX-Config

For inside users to access these servers via the public IP, you need to set up "destination NAT" in the PIX, where the PIX will see traffic destined for 161.10.10.10 and change the destination to 172.16.2.10.

The commands you specify above are exactly what's needed. This tells the PIX that if you see a packet on the inside interface for 161.10.10.10, change it to 172.16.2.10 and send it to the dmz interface.

What you could also do, if your DNS server is on the outside interface and it resolves to 161.10.10.10 when your users browse to these servers, is change your existing statics to:

static (dmz, outside) 161.10.10.10 172.16.2.10 dns netmask 255.255.255.255

staic (dmz, outside) 161.10.10.11 172.16.2.11 dns netmask 255.255.255.255

which tells the PIX that if it sees a DNS reply come through that has 161.10.10.10 in it, change it to 172.16.2.10, this way your users can browse to it via its public name and they won't have any idea what IP address they're actually connecting to.

This'll only work if the DNS server is on the outside though, otherwise use "Destination NAT" like you have done with the 2nd set of commands.

Community Member

Re: PIX-Config

Your config is correct.

Silver

Re: PIX-Config

Your config is correct. However, don't forget that inside users must have some form of NAT on their way out to the DMZ. When going from high to low, the source address must always have some form of NAT configured. This can be accomplished with [static], [nat 0], or [nat][global].

96
Views
0
Helpful
3
Replies
CreatePlease to create content