Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Hosts are unable to pass traffic from one DMZ to another DMZ


Hosts on the Demilitarized Zone (DMZ) network need to pass traffic through the PIX Firewall to connect to devices on another DMZ network. For the purposes of this example, all devices on both of the DMZ interfaces need to use their native addresses.

Configure a static translation and access for the workstations on the DMZ to reach the other DMZ network.

Note: The static Network Address Translation (NAT) that is required is for the entire DMZ network with the highest security. The Access Control List (ACL) will not defer from the standard, but will be applied to the DMZ interface with the lowest security.

In this example, the DMZ with the higher security is called DMZ1 and its network will be The DMZ with the lower security will be called DMZ2 and its network will be All the traffic will pass between the two DMZ networks.

Issue the following commands to configure static NAT:

pixfirewall> enable
pixfirewall# configure terminal
pixfirewall (config t)# static (DMZ1, DMZ2)

What the above statement is saying is that when traffic hits the PIX from DMZ2 and is destined for DMZ1's network (, to translate that address to itself. Any traffic that passes through a PIX must be translated. To satisfy this requirement, configure the PIX to translate any address in this range to itself. This is a one-to-one translation. Because this example uses the same range twice, if traffic destined for hits the PIX, when it is sent out of the DZ1 interface it will remain destined for It does not reassign it a random IP address in the range.

The ACL to permit traffic from the DMZ2 network to the DMZ1 network must be configured. For the example,  you will permit all traffic to pass between the two interfaces. However, this may not always be the best choice depending on the security policy you must follow. If you are in doubt on what to allow, it is best to allow only necessary traffic.

Issue the following commands to configure the ACL:

pixfirewall (config t)# access-list dmz2dmz permit ip any any
pixfirewall (config t)# access-group dmz2dmz in interface DMZ2

After these commands have been issued, you should be able to pass the specified traffic. If there is any problem with passing traffic at that point, issue the clear xlate command.

Note: Issuing this command will temporarily drop active connections. It should re-establish within 10 seconds.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 03:33 PM
Updated by:
Labels (1)