Cisco Pix DMZ without NAT, LAN with NAT

Posted on 2007-11-20
Last Modified: 2011-04-14
Good evening all.
We have a CIsco Pix 515E with three interfaces, Inside (, Outside and DMZ (  We have a public /29 IP range ( for this example).  I am not sure if this is even possible but its worth a try.  The Pix is all setup and working no problem. Our LAN connects to the internet (shown IP and DMZ without issues, our webmail ( is published with the DNS extension to allow internal access without requiring an internal DNS entry etc.

We now need to run an application in the DMZ that must bind to the public IP Address ( so we require the NAT to be disabled on the DMZ only.  I have had a play with the config but because for it all to route correctly the DMZ interface needs the IP Address however this fails because it conflicts with the outside interface.

After thinking about this for a good while my feeling is that a second pix will need to come in and be placed in front of our existing Pix but run without NAT but still allow our machines to be firewalled.  Is there a way of running the DMZ purely on our public IP range rather than a private one NAT'd.  I have googled, gone through Cisco docs etc and can only find examples for running NAT or no-nat but not both.  If the only way is with a second Pix then fair enough but if it can be done without that would be a bonus.


Question by:Sword_Fish
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

Sword_Fish earned 0 total points
ID: 20326279
Realised this morning that yes we will need a second pix to run

Leased Line router ---- transparent pix --- switch --- routed pix.  

The switch would also have the public IP'd interfaces of the servers.  The Cisco support docs also appear to support this
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20326473
   Hi Sword_Fish
       "We now need to run an application in the DMZ that must bind to the public IP Address ( so we require the NAT to be disabled on the DMZ only."
        For achieving this, you dont need a second pix and you dont need to disable NAT.
        If you want to address translate your all DMZ network to in outside, you need following
        nat (DMZ) 2
        global (outside) 2
        access-list outside_access_in permit tcp any host eq yourapplicationsport
        If the application runs on 1 Server/computer in DMZ (lets say that its ip is, do the following
        static (DMZ,outside) netmask 0 0
        access-list outside_access_in permit tcp any host eq yourapplicationsport


Author Comment

ID: 20350547
Unfortunately the server in the DMZ has to be physically assigned in Windows the IP address  We have got hold of a second pix to run purely in transparent mode and will mount a switch between pix1 and pix2, plugging the server into this switch.

Statics don't work (I tried) because the IP address of the windows server must be

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ip igmp join-group 8 72
port redirection on cisco asa 5520 5 30
Factory-Resetting & Configuring Cisco Meraki MR18 Wifi Access Points 3 34
pptp through Cisco ASA5505 V7 5 34
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question