DMZ hosts to internet & inside require two NIC's, or can this be done by NAT? 250 POINTS

I have an network with 1 pix with an outside interface, a dmz interface which the internet can access with public addresses, lets just say 195.XXX & an inside 10.XXX network.

I want the DMZ hosts to be able to contact hosts on my inside network as well as the internet. how can this be done?

Is the only way to do this by having two lots of nics on the hosts, one with public addresses 195XXX that route to the internet & one with lets say  172.16.X.X for my dmz hosts so they can go inside, or can my dmz hosts get to the inside without having to nat their 195.XXX addresses?

If this can be done by nat & route could someone show  example nat & route statements?
thanks in advance
lowfellAsked:
Who is Participating?
 
stressedout2004Commented:
Ok, so the DMZ host already accepts a connection from the internet on port 80 and
you want the DMZ hosts to connect to the inside hosts. Since inside hosts is
residing on an interface with a higher security level, you will need to add a static and
access-rule.

e.g

static (inside, dmz) 172.16.x.x 172.16.x.x netmask 255.255.x.x

access-list 101 permit tcp 192.168.0.x 255.255.x.x 172.16.x.x 255.255.x.x eq 80
access-list 101 deny ip 192.168.0.x 255.255.x.x 172.16.x.x 255.255.x.x
access-list 101 permit ip any any

access-group 101 in interface dmz

The command above will allow host on the DMZ to communicate with the inside host on port 80.
Just replace it with the actual IP and interface name.
0
 
stressedout2004Commented:
You can do this by simple NAT and access-list.  Here's an example

ip address outside 1.1.1.1 255.255.255.0
ip address inside 10.1.1.0 255.255.255.0
ip address dmz1 192.168.5.0 255.255.255.0

!!allows hosts on the inside and dmz1 interface to go out to the internet using PAT

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz1) 1 0.0.0.0 0.0.0.0

!! allows hosts on the dmz to communicate with the inside hosts and vice versa.

static (inside,dmz1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-list dmz1_acl permit ip any any
access-group dmz1_acl in interface dmz1


The static above can be done on a per IP basis instead of the entire inside network depending on your
requirements. Likewise, you can be as restrictive on the access-list as you need to be (e.g only allowing
certain traffic to the inside network).



0
 
lowfellAuthor Commented:
Sorry I may be confusing you. My DMZ hosts Accept INBOUND only WWW FROM THE INTERNET. These DMZ hosts have 200.XXX public addresses

I believe the 200.XXX DMZ hosts nat to a 192.168.0.X addresses (although they are only accepting inbound connections)

I want these 200.XXX (192.168.0.X) DMZ hosts  to connect to my inside hosts on   port 80

The inside address range is 172.16XX

How do I do this ?
0
 
lowfellAuthor Commented:
Many thanks, this is much appreciated.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.