Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member



I have 3 interfaces, outside, inside and DMZ. The DMZ servers are NAT'd to Public IP. I am allowing PUblic to access the DMZ servers via Public IP.


static (dmz, outside) netmask

staic (dmz, outside) netmask

this is from high security to low. What about users from the inside accessing to the DMZ server using public IP? Is the following statement correct?

static (dmz, inside) netmask

static (dmz, inside) netmask


Cisco Employee

Re: PIX-Config

For inside users to access these servers via the public IP, you need to set up "destination NAT" in the PIX, where the PIX will see traffic destined for and change the destination to

The commands you specify above are exactly what's needed. This tells the PIX that if you see a packet on the inside interface for, change it to and send it to the dmz interface.

What you could also do, if your DNS server is on the outside interface and it resolves to when your users browse to these servers, is change your existing statics to:

static (dmz, outside) dns netmask

staic (dmz, outside) dns netmask

which tells the PIX that if it sees a DNS reply come through that has in it, change it to, this way your users can browse to it via its public name and they won't have any idea what IP address they're actually connecting to.

This'll only work if the DNS server is on the outside though, otherwise use "Destination NAT" like you have done with the 2nd set of commands.

Community Member

Re: PIX-Config

Your config is correct.


Re: PIX-Config

Your config is correct. However, don't forget that inside users must have some form of NAT on their way out to the DMZ. When going from high to low, the source address must always have some form of NAT configured. This can be accomplished with [static], [nat 0], or [nat][global].

CreatePlease to create content