Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Disable IP address translation between the DMZ and Inside network?

Assume a network topology is like this:

A PIX with 3 interfaces:

inside interface (private static IP of 10.10.10.1)

outside interface (public static IP of 69.110.38.35)

DMZ interface (private static IP of 30.30.30.1)

The internal clients (private static IP of 10.10.10.3 - 10.10.10.30) is located in the internal LAN

It is said: "Usually you disable Network address translation between the DMZ and Inside network".

1) Why do I need to disable the IP address translation between the DMZ and Inside network?

2) What is the CML statement to achieve so (example)?

Thanks to help.

Scott

1 REPLY
New Member

Re: Disable IP address translation between the DMZ and Inside ne

1. You only normally need to nat if you have overlapping IPs or PAT if you want to conserve public IPs.

2.

access-list no_nat_2_dmz permit ip 10.10.10.0 255.255.255.224 30.30.30.0 255.255.255.0

access-list no_nat_2_Inside permit ip 30.30.30.0 255.255.255.0 10.10.10.0 255.255.255.224

static (Inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.224

nat (Inside) 0 access-list no_nat_2_dmz

nat (DMZ) 0 access-list no_nat_2_Inside

or something to that effect. nat with a number of 0 does not nat those IPs stated in the access-list that you specify.

The static command allows your DMZ to access your Inside network. You probably want to specify certain IPs and services in static commands instead of just globbing everything together and allowing it. This command works, but kinda defeats one of the purposes of a DMZ.

Note that the nat commands aren't even needed if you don't have :

global (Inside)

global (DMZ)

as the global commands are needed to NAT

143
Views
3
Helpful
1
Replies
CreatePlease to create content