Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traffic between DMZ and Inside

Im new to PIX products. Got confused about the NAT in Cisco. My Web servers in DMZ are using private addresses ( and Inside hosts are using private addresses ( as well. I did the Static NAT for the servers in DMZ and 'interface' NAT for the hosts in the inside network. There is no problem in the traffic between Inside --> Outside, DMZ --> Outside and Outside --> DMZ. But I can not access the hosts in the DMZ with their public ip addresses from Inside network. Also, I need to allow the web servers in DMZ to access the SQL servers in the Inside network. Can anyone help me with the appropriate configuration?

Thank you.

New Member

Re: Traffic between DMZ and Inside

As you can see, it's always easy to leave connection establishment from high security interface to low security interface(i.e. inside to DMZ, inside to outside, DMZ to outside), but for the other way, low sec i/f to high sec i/f, it isn't as much easy.

You cannot access DMZ's servers with their public IP address from inside. Look at the "Alias" command.

About the DMZ to inside connection establishment, use the same kind of config you have configured between outside&DMZ since it's a low to high security interface model. Then you need a static, access-list & access-group applied to the DMZ interface.

Hope this help!


New Member

Re: Traffic between DMZ and Inside

all you need is to remember that the way you act about communication between inside-outside, is the same between inside-dmz because its the same concept of security level...

the alias command might be very helpfull , you can read about it in the next link:

New Member

Re: Traffic between DMZ and Inside

For access to SQL Server:

static ( inside, dmz) sql_server_ip sql_server_ip netmask

sql_server_ip can be in the network.

For inside to DMZ access all access should be allowed by default, if you can post your configuration, I can comment better.

CreatePlease login to create content