We help IT Professionals succeed at work.

DMZ zone public Ip

ssshibu asked
Medium Priority
Last Modified: 2010-04-12
Dear Experts,

Please help me to solve the issue with respect to the PIX firewall. here it is the issue which i am facing now..

From internal zone and backbone zone networks we are not to reach the DMZ servers PublicIP.

Here it is the ip detais

a) Internal zone networks - (inside) 1

b) Backbonezone networks - (BACKBONEZONE) 1

c) DMZ network - (ips natted to public ips- 210.*.*.*/28)

d) We have PIX outside interface ip is the same subnet which we natted to DMZ servers.

When we try from inside zone or backbonezone network to DMZ Zone network private IP ex- http:\\\siren we would be able to reach . but the same time with DMZ servers public (210.*.*.*) we are not able to reach .

Is it possible to reach with public IP ?

Watch Question

Sr. Systems Engineer
Top Expert 2008
I'm sorry to tell you that it is not possible to reach the internal servers by their public ip address from anywhere except the outside.
I has to do with the design of the PIX and the order of packet flow and nat processing.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


lrmoore sir,

Could you explain a bit on thi s?

what is teh technical issue?


now that network is being added to our Centre . earlier they had a seprate internet connection through which they were able to access teh DMZ located server with public IP and with the Hostname(www.e-....com)..

Since this is being routed to our centre(coming through BACKBONEZONE) and natted to global  they are not able to access the DMZ servers with public ip or hostname. but they can access the server with private ip .

can i run any private DNS and accomplish this connectivity?
Les MooreSr. Systems Engineer
Top Expert 2008

Technically, it has to do with the way a packet is handled.
Pix receives packet on inside interface destined for public ip a.b.c.d
Pix knows that IP subnet is on its outside interface, but then it is natted to inside host 10.x.x.x.
Pix knows that IP subnet is on its inside interface, the same interface the packet came in on
Pix by design will not re-direct a packet back out the same interface it came in on.
Even if the natted host is on a separate dmz, the Pix would forward the packet from source 10.1.8.* to host 10.1.14.*
Host 10.1.14.* responds to 10.1.8.*
Host  10.1.8.* expects reply from a.b.c.d, drops response packet from 10.1.8.*

Yes, running a private DNS is the easiest answer.
However, if you are only using public DNS there is another feature of pix that might help. It is called "dns doctoring" and is accomplished in one of two ways, depending on your OS version.
Or, if using OS 6.3.x you can use "dns" keyword in the static nat statements
  static (dmz,outside) dns netmask

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.