The global dmz command enables inside users to access the DMZ web server

fw1(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

fw1(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

© 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0—4-15

In the figure, the first nat command enables hosts on the inside interface, which has a security level of 100, to start connections to hosts on interfaces with lower security levels. In this case, that includes hosts on the outside interface and hosts on the demilitarized zone (DMZ). The second nat command enables hosts on the DMZ, which has a security level of 50, to start connections to hosts on interfaces with lower security levels. In this case, that includes only the outside interface.

Because both of the mapped pools and the nat (inside) command use a NAT ID of 1, addresses for hosts on the 10.0.0.0 network can be translated to those in either mapped pool. Therefore, when users on the inside interface access hosts on the DMZ, the global (dmz) command causes their source addresses to be translated to addresses in the 172.16.0.20-172.16.0.254 range. When they access hosts on the outside, the global (outside) command causes their source addresses to be translated to addresses in the 192.168.0.20-192.168.0.254 range.

When users on the DMZ access outside hosts, the global (outside) command causes their source addresses to be translated to addresses in the 192.168.0.20-192.168.0.254 range.

Was this article helpful?

0 0

Post a comment