DMZ hosts to internet & inside require two NIC's, or can this be done by NAT? 250 POINTS

I have an network with 1 pix with an outside interface, a dmz interface which the internet can access with public addresses, lets just say 195.XXX & an inside 10.XXX network.

I want the DMZ hosts to be able to contact hosts on my inside network as well as the internet. how can this be done?

Is the only way to do this by having two lots of nics on the hosts, one with public addresses 195XXX that route to the internet & one with lets say  172.16.X.X for my dmz hosts so they can go inside, or can my dmz hosts get to the inside without having to nat their 195.XXX addresses?

If this can be done by nat & route could someone show  example nat & route statements?
thanks in advance
lowfellAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nodiscoCommented:
hi there

Simplest way to do it is create a static nat translation - no route statements are necessary

conf t
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

If inside and dmz hosts can both access the internet then you probably have something in your config like:
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 [ip address/range/interface]

The static nat translation will not affect this.
Also if you want to restrict DMZ hosts to just certain hosts/ports etc on the inside then you can apply an access-list for same:

access-list fromdmz permit tcp any any eq www
access-list fromdmz permit ip any host 10.1.1.1 eq https
access-list fromdmz deny ip any any
access-group fromdmz in interface dmz

Hope this helps




0
lowfellAuthor Commented:
Sorry I may be confusing you. My DMZ hosts Accept INBOUND only WWW FROM THE INTERNET. These DMZ hosts have 200.XXX public addresses

I believe the 200.XXX DMZ hosts nat to a 192.168.0.X addresses (although they are only accepting inbound connections)

I want these 200.XXX (192.168.0.X) DMZ hosts  to connect to my inside hosts on   port 80

The inside address range is 172.16XX

How do I do this ?
0
nodiscoCommented:
If you post your sanitized pix config it will be easier to explain this but if you cannot.....

I am assuming the following:
Internal range - 172.16.x.x
DMZ range - 192.168.0.x
DMZ hosts are natted to public ip and then allow www traffic in
For this - you should see something like this in your config:
static (dmz, outside) 200.x.x.x 192.168.0.x netmask 255.255.255.255
access-list [aclname] permit tcp any host 200.x.x.x eq www
access-group [aclname] in interface outside
#######################################
To allow the DMZ hosts to connect to your inside hosts on port 80:
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-list fromdmz permit tcp any host 172.16.0.x eq 80
access-list fromdmz deny ip any any
access-group fromdmz in interface dmz

In this example - you are permitting only port 80 access from "any" machine in the dmz to the host 172.16.0.x in the inside network.  The deny acl is not necessary but I like to add one of these in so you can see hits on the acl if other traffic is attempting a connection.

Hope this helps

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lowfellAuthor Commented:
Many thanks, this is much appreciated
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.