Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PNAT to Static

I'm trying to get our inside clients to talk to our DMZ servers through their static statements(IE it looks like an outside IP talking to an outside IP not an inside IP talking to a dmz IP via ASA)

I'm not sure if this is possible with the PIX(520 IOS 6.3) or if it is, what type of rules I need and where.

I'm guessing the inside interface is blockin traffic from the outside(return traffic), but I'm not fully sure.

Do I need special rules in the outside or inside interface to allow traffic to from nat to go out and back?

It is key for our testing that our inside clients go to the public network first then back in, or else we can't test certain functionality right.

New Member

Re: PNAT to Static

This should answer your question by how I'm understanding it:

If this answers your question please close and rate.

New Member

Re: PNAT to Static

umm I only have guest access.

I can't open that link.

Can you paste the config from it to here? I only need to see config examples or working setups. I understand enough about the PIX configs to be able to read them.

New Member

Re: PNAT to Static


Well I finally was able to see the link thanks to a friend and all that link talks bout is the NAT/No-NAT statements.

That isn't really the issue. The issue is within the ACL's and how they are applied. I'm trying to determine if it is possible for a PNAT'd public IP to talk to a public static statement going to a DMZ servers.

The way I have it currently setup makes it seem like it is not possible.

I can easily access the outside world from both the internal clients and dmz servers. The outside world can easily access the dmz servers via the static statements and it seems to me that the internal clients going through the PNAT engine would be able to access the static statements but this is timing out(IE being blocked somewhere)

The idea here is to have the internal clients go outside to the public network then go through the static statements to the DMZ.

Not use the normal method of letting the ASA engine allow the packets to from higher to the lower and make ACLs for that traffic.

I do not want the internal clients to ever be NAT'd into the DMZ.



CreatePlease to create content