Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX Routing With 3rd Interface

Example Topology

Inside -


Outside - 216.x.x.x

I have a web server sitting on the dmz. I added a global statement which I understand allows all inside clients start connections to the dmz and outside interfaces. I can access outside resouces but I am unable to access the web server on the dmz. What I'm I missing.


Keith Townsend

New Member

Re: PIX Routing With 3rd Interface

may need to NAT from inside to dmz

the rule being high to low security use nat

low to high use global and access lists

New Member

Re: PIX Routing With 3rd Interface

You have to statically assign a public IP address corresponding with the private IP address used by your Web server with the command "static".

You have to create an access-list to open a port to your Web server and finally assigned the access list created before to an access-group assign to the outside port. You can see an example at the following URL:

New Member

Re: PIX Routing With 3rd Interface

In a additona to static command, you must include a conduit or acces list that allows inbound traffic to the web server.


New Member

Re: PIX Routing With 3rd Interface

Hello Keith.

Since you are trying to access a web sever from the inside, which is the highest security interface, all you need is to crate a global (perimeter) entry. But youhave to make sure that there is a nat entry for the inside network. The nat id for the nat (inside) entry should match the id for the global (perimeter) entry. For example if you have nat (inside)1, then you should have global (perimeter) 1 Users on the inside network would use net to connect to your web server. You don't need any conduit statement since by default the pix allows all connections from the higher security interface to any lower security intf. If you want your web server to initiate a connection to the inside network you will need the static command. I think you've been doing the right thing all along. You need to make sure that the nat id matches the global id.

Cheers and good luck


New Member

Re: PIX Routing With 3rd Interface

you must add a static and conduit command.


static (inside,dmza) 10.x.x.x 10.x.x.x netmask 0 0

conduit permit udp 10.x.x.x host 20.x.x.x

conduit permit tcp 10.x.x.x host 20.x.x.x

the static command here shown allows the inside (10.x.x.x) see that dmz. on that command the inside address has to be typed twice and it needs to be the same.

the conduit command allows the different protocols (tcp and udp) to go back to that inside address scheme from the web server (20.x.x.x)

this should work for you.