DMZ hosts to internet & inside require two NIC's, or can this be done by NAT?  250 POINTS

Posted on 2006-04-27
Last Modified: 2010-04-11
I have an network with 1 pix with an outside interface, a dmz interface which the internet can access with public addresses, lets just say 195.XXX & an inside 10.XXX network.

I want the DMZ hosts to be able to contact hosts on my inside network as well as the internet. how can this be done?

Is the only way to do this by having two lots of nics on the hosts, one with public addresses 195XXX that route to the internet & one with lets say  172.16.X.X for my dmz hosts so they can go inside, or can my dmz hosts get to the inside without having to nat their 195.XXX addresses?

If this can be done by nat & route could someone show  example nat & route statements?
thanks in advance
Question by:lowfell
    LVL 9

    Expert Comment

    You can do this by simple NAT and access-list.  Here's an example

    ip address outside
    ip address inside
    ip address dmz1

    !!allows hosts on the inside and dmz1 interface to go out to the internet using PAT

    global (outside) 1 interface
    nat (inside) 1
    nat (dmz1) 1

    !! allows hosts on the dmz to communicate with the inside hosts and vice versa.

    static (inside,dmz1) netmask
    access-list dmz1_acl permit ip any any
    access-group dmz1_acl in interface dmz1

    The static above can be done on a per IP basis instead of the entire inside network depending on your
    requirements. Likewise, you can be as restrictive on the access-list as you need to be (e.g only allowing
    certain traffic to the inside network).


    Author Comment

    Sorry I may be confusing you. My DMZ hosts Accept INBOUND only WWW FROM THE INTERNET. These DMZ hosts have 200.XXX public addresses

    I believe the 200.XXX DMZ hosts nat to a 192.168.0.X addresses (although they are only accepting inbound connections)

    I want these 200.XXX (192.168.0.X) DMZ hosts  to connect to my inside hosts on   port 80

    The inside address range is 172.16XX

    How do I do this ?
    LVL 9

    Accepted Solution

    Ok, so the DMZ host already accepts a connection from the internet on port 80 and
    you want the DMZ hosts to connect to the inside hosts. Since inside hosts is
    residing on an interface with a higher security level, you will need to add a static and


    static (inside, dmz) 172.16.x.x 172.16.x.x netmask 255.255.x.x

    access-list 101 permit tcp 192.168.0.x 255.255.x.x 172.16.x.x 255.255.x.x eq 80
    access-list 101 deny ip 192.168.0.x 255.255.x.x 172.16.x.x 255.255.x.x
    access-list 101 permit ip any any

    access-group 101 in interface dmz

    The command above will allow host on the DMZ to communicate with the inside host on port 80.
    Just replace it with the actual IP and interface name.

    Author Comment

    Many thanks, this is much appreciated.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now