DMZ hosts to internet & inside require two NIC's, or can this be done by NAT?  250 POINTS

Posted on 2006-04-27
Last Modified: 2010-04-09
I have an network with 1 pix with an outside interface, a dmz interface which the internet can access with public addresses, lets just say 195.XXX & an inside 10.XXX network.

I want the DMZ hosts to be able to contact hosts on my inside network as well as the internet. how can this be done?

Is the only way to do this by having two lots of nics on the hosts, one with public addresses 195XXX that route to the internet & one with lets say  172.16.X.X for my dmz hosts so they can go inside, or can my dmz hosts get to the inside without having to nat their 195.XXX addresses?

If this can be done by nat & route could someone show  example nat & route statements?
thanks in advance
Question by:lowfell
    LVL 19

    Expert Comment

    hi there

    Simplest way to do it is create a static nat translation - no route statements are necessary

    conf t
    static (inside,dmz) netmask

    If inside and dmz hosts can both access the internet then you probably have something in your config like:
    nat (inside) 1 0 0
    nat (dmz) 1 0 0
    global (outside) 1 [ip address/range/interface]

    The static nat translation will not affect this.
    Also if you want to restrict DMZ hosts to just certain hosts/ports etc on the inside then you can apply an access-list for same:

    access-list fromdmz permit tcp any any eq www
    access-list fromdmz permit ip any host eq https
    access-list fromdmz deny ip any any
    access-group fromdmz in interface dmz

    Hope this helps


    Author Comment

    Sorry I may be confusing you. My DMZ hosts Accept INBOUND only WWW FROM THE INTERNET. These DMZ hosts have 200.XXX public addresses

    I believe the 200.XXX DMZ hosts nat to a 192.168.0.X addresses (although they are only accepting inbound connections)

    I want these 200.XXX (192.168.0.X) DMZ hosts  to connect to my inside hosts on   port 80

    The inside address range is 172.16XX

    How do I do this ?
    LVL 19

    Accepted Solution

    If you post your sanitized pix config it will be easier to explain this but if you cannot.....

    I am assuming the following:
    Internal range - 172.16.x.x
    DMZ range - 192.168.0.x
    DMZ hosts are natted to public ip and then allow www traffic in
    For this - you should see something like this in your config:
    static (dmz, outside) 200.x.x.x 192.168.0.x netmask
    access-list [aclname] permit tcp any host 200.x.x.x eq www
    access-group [aclname] in interface outside
    To allow the DMZ hosts to connect to your inside hosts on port 80:
    static (inside,dmz) netmask
    access-list fromdmz permit tcp any host 172.16.0.x eq 80
    access-list fromdmz deny ip any any
    access-group fromdmz in interface dmz

    In this example - you are permitting only port 80 access from "any" machine in the dmz to the host 172.16.0.x in the inside network.  The deny acl is not necessary but I like to add one of these in so you can see hits on the acl if other traffic is attempting a connection.

    Hope this helps


    Author Comment

    Many thanks, this is much appreciated

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Suggested Solutions

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now