DMZ hosts to internet & inside require two NIC's, or can this be done by NAT? 250 POINTS

I have an network with 1 pix with an outside interface, a dmz interface which the internet can access with public addresses, lets just say 195.XXX & an inside 10.XXX network.

I want the DMZ hosts to be able to contact hosts on my inside network as well as the internet. how can this be done?

Is the only way to do this by having two lots of nics on the hosts, one with public addresses 195XXX that route to the internet & one with lets say  172.16.X.X for my dmz hosts so they can go inside, or can my dmz hosts get to the inside without having to nat their 195.XXX addresses?

If this can be done by nat & route could someone show  example nat & route statements?
thanks in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can do this by simple NAT and access-list.  Here's an example

ip address outside
ip address inside
ip address dmz1

!!allows hosts on the inside and dmz1 interface to go out to the internet using PAT

global (outside) 1 interface
nat (inside) 1
nat (dmz1) 1

!! allows hosts on the dmz to communicate with the inside hosts and vice versa.

static (inside,dmz1) netmask
access-list dmz1_acl permit ip any any
access-group dmz1_acl in interface dmz1

The static above can be done on a per IP basis instead of the entire inside network depending on your
requirements. Likewise, you can be as restrictive on the access-list as you need to be (e.g only allowing
certain traffic to the inside network).

lowfellAuthor Commented:
Sorry I may be confusing you. My DMZ hosts Accept INBOUND only WWW FROM THE INTERNET. These DMZ hosts have 200.XXX public addresses

I believe the 200.XXX DMZ hosts nat to a 192.168.0.X addresses (although they are only accepting inbound connections)

I want these 200.XXX (192.168.0.X) DMZ hosts  to connect to my inside hosts on   port 80

The inside address range is 172.16XX

How do I do this ?
Ok, so the DMZ host already accepts a connection from the internet on port 80 and
you want the DMZ hosts to connect to the inside hosts. Since inside hosts is
residing on an interface with a higher security level, you will need to add a static and


static (inside, dmz) 172.16.x.x 172.16.x.x netmask 255.255.x.x

access-list 101 permit tcp 192.168.0.x 255.255.x.x 172.16.x.x 255.255.x.x eq 80
access-list 101 deny ip 192.168.0.x 255.255.x.x 172.16.x.x 255.255.x.x
access-list 101 permit ip any any

access-group 101 in interface dmz

The command above will allow host on the DMZ to communicate with the inside host on port 80.
Just replace it with the actual IP and interface name.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lowfellAuthor Commented:
Many thanks, this is much appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.