DHCP on DMZ interface

I'm trying to set up a DHCP pool on a new DMZ interface (DMZ2) for visiting laptop users to connect to the internet wirelessly. I had imagined this to be a fairly simple process, however the hosts cannot access the internet. Here are the commands I entered:

----------------------------------------------------------- interface Ethernet4 nameif DMZ2 security-level 50 ip address

nat (DMZ2) 1

dhcpd dns dhcpd ping_timeout 750 dhcpd address DMZ2 dhcpd enable DMZ2


The outside interface is the default security 0. My other DMZ interface (DMZ1) has no problems, but all of the hosts in that DMZ are

1-to-1 static maps.

The hosts in DMZ2 get IP addresses via DHCP just fine and can ping their gateway (, however cannot ping any hosts on the internet nor access websites.

Any help is appreciated. Thanks.

Reply to
Loading thread data ...

What is the global that match this: nat (DMZ2) 1

you must have a global (DMZ1) 1 initerface command if you want DMZ2 to access DMZ1 Also you should have global (outside) 1 interface inorder to access internet via outside interface Also verify that you have ACLs on ALL interfcaes, and that the ACL include ICMP.

HTH Martin

Reply to
Martin Bilgrav


We have a global (outside) 1 interface command. This pix is currently already in production with the inside network being...well...our inside network and all its hosts, and DMZ1 being things like our web server, smtp gateway, and the like.

I only want to create a new DMZ that can *only* access the internet. Hosts in this network will never under any circumstances communicate with either the inside or DMZ1 zones. My understanding is that I would not need an ACL on DMZ2 as they aren't necessary when going from a higher restriction (50) to a lower (0, which is the outside interface).

When I originally set this up however, I did create an access-list called DMZ2 that only had ICMP any any, icmp any any echo-reply and icmp any any time-exceeded, and applied it using "access-group dmz2 in interface DMZ2". This wasn't working either so I have since removed that ACL.

Reply to

Looks like you are using PIX 7+ from the syntax. Whilst I prefer the command line, why not try the ASDM and run the packet trace feature to simulate a packet traveling from the DMZ2 interface towards the Internet. It will show you where the flow breaks.



Reply to


Unfortunately my experience with the PIX is limited. I've used the ASDM on an ASA before, but am unable to do so on this unit. When trying to connect I get an "unexpected end of file from server" error, likely because the ASDM module is no present on the PIX (and I am unaware of how to put it on there).

I'm fairly certain my problem is NAT related, I just can't think of what it is I'm missing.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.