problem at nat in pix

sword1sword1 Member Posts: 9 ■□□□□□□□□□
first review the syntax

ip address outside60.181.111.210
ip address inside
ip address dmz

nat (dmz) 0
nat (inside) 2
global (outside) 2

this is the running configuration which is allowing the internal host to communicate from inside to outside interface. But boss told me to enable access from inside to dmz also, for that i added the following command

nat (dmz) 0
nat (inside) 2
global (outside) 2
global (dmz) 2

The dmz's public IPs stop browsing to outside. why?

and i also addedd the ping trace command

access-list icmp_acl permit icmp any any
access-group icmp_acl in interface dmz

any idea and if i am wrong than what is the appropriate approach of the command
Thank you


  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    Still working on my coffee but straight off your Global (Outside) IP looks wrong, it's in your DMZ range and not the outside IP.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • garv221garv221 Member Posts: 1,914
    hmmmmmmmm. Early for me as well. Played wii all night. Maybe this will help to get internet access from the Dmz.

    nat (dmz) 0
    global (outside) 0

    To get access from "inside" to "dmz" you need an acl on the DMZ allowing "inside" access to the Dmz. What are the local addresses?

    I will take a look back later and think through it again.
  • crazy_jaycrazy_jay Member Posts: 7 ■□□□□□□□□□
    You will have to do something like this:

    If your inside subnets are, for example, and your internal DMZ subnet is then you need to do the following:

    static (inside,dmz) netmask

    access-list dmz extended permit ip

    access-group dmz in interface dmz

    This should do it.
  • sword1sword1 Member Posts: 9 ■□□□□□□□□□
    inside ip
    dmz ip

    now answering in more detail is that the existing commands was working great. The defined inside(private ip) and dmz(public ip) user were accessing internet successfully.

    The enhacment which i have to do was that the inside user should access outside as well as dmz. for that i addedd the blue lined command(previously talked) on the existing command,actually the following command

    nat (inside) 2
    global (outside) 2

    is allowing the inside user to the outside world(patting) and i thought that if i add the

    global (dmz) 2

    it will allow the inside user to access the dmz as well, because NAT is used to allow traffic from high security interface(inside) to lower security interface (dmz).
    And access list is used to allow traffic from low sec interface to high sec int

    i think i have to add a NAT command with a new NAT "ID" that is

    nat (inside) 3
    global (dmz) 3

    what do you people say abt this?
    Thank you
  • crazy_jaycrazy_jay Member Posts: 7 ■□□□□□□□□□
    Check out this link. It shows the standard configuration for a server to be access internally (inside interface) as well as from the outside.
Sign In or Register to comment.