Inside to DMZ communication

static(inside,dmz) 10.3.0.1 10.3.0.1 netmask 255.255.255.255

Can you do that with a static command and have the same address ? How does that work ?

Well, that does not clear anything up for me. I guess I will have to re-read all the post and test some things on my own.

Thanks for all the information!

As for the Static, it is my understanding that the static is only required to allow incoming traffic from the DMZ to the Inside, therefore if you are not initiating the traffic from the DMZ then i am not convinced that it is required (providing the Natting is configured correctly)

Cheers

By default in a PIX, the firewall treats each interfaces as if they are totally separate devices. What I mean by this is if you take a PIX and do nothing but assign addresses to the inside,outside, and dmz interface and then attach computers directly to those interfaces you will not be able to communicate from the computer in the inside to the dmz or to the outside and vise-versa with the other computers.

You specifically have to give access to each network either with the nat/global command or with the static command. They both get the job done in most cases.

The only time I use the nat/global command is if I want to use PAT instead of one to one NAT. All the static command does is provide a one to one NAT between interfaces.

Hope that helps.

EDIT:

It's also worth noting that I use one to one NAT when ever possible because it allows me to be more fine grained and allows for better logging because it allows the server to log individual IP's rather than PAT address. It also allows me to block individual problem children if needed rather than an entire group of people.

Thanks for confirming my original post. Basically, you use either the Global/Nat or Static. In order to go from low to high then you must use a static command.

On a side note, this all depends on if you are using NAT-CONTROL. You can make the firewall route all traffic instead but thats for another time

So is it safe to say that I should use a NAT statement for the server in the DMZ?

DMZ: 172.16.0.1
Server on DMZ: 172.16.0.3
Internal: 10.10.10.1

Do I configure a NAT on the internal interface? Something that will NAT 10.10.10.X to 172.16.0.3?

Then do I also need a rule that allows traffic?

Do the servers in the DMZ need to access resources in the inside network ? (i.e. do the DMZ servers need to initiate the communication)

static(inside,dmz) 10.3.0.1 10.3.0.1 netmask 255.255.255.255

Can you do that with a static command and have the same address ? How does that work ?

Yes you can. All it does it map 10.3.0.1 to 10.3.0.1 on your dmz interface. I do it on my home pix to access devices within my dmz and I did it on a large enterprise network when we dropped in the companies first perimeter firewalls (2000+ static rules).

You can view a sample dmz configuration from cisco.com here:

www.cisco.com/en/US/products/hw/vpndevc/...186a00800941c8.shtml

You will notice that they use a static command to allow their internal network to access their dmz as I did in my example.