DMZ Scope?

[pjudt]

I'm brand new to the PIX. I've been searching through these groups for a week and have used a lot of information from different posts. I appreciate all the good advice. My question has to do with the DMZ. Currenty, I have a public address in the DMZ. Is this a good idea? I notice that most configurations in these posts have a non-routable address. Currently, I have NAT setup on the inside. I'm allowing certain traffic out but denying the rest. I have an outside address static mapped to an address on the inside and another separate address to the outside. Incoming from outside to DMZ is working fine and Incoming from outside to inside is working fine. I have so far been unable to get traffic from the DMZ to inside going in either direction. Would you suggest I go to a non routable dmz? What is the benefit of having or not having routable/non-routable ips in the dmz? Thanks in advance for any assistance you may provide.

Paul

 

[themut]

It is best to use private IP addresses on the DMZ so you do not expose the real IP addresses to the Internet. However that should be no problem to communicate with the inside network.

To communicate from inside to DMZ you need the following conditions:
nat (inside) 1 ...
global (dmz) 1 ...

For dmz to inside traffic you need the following conditions:
static (inside, dmz)...
access-list 101 permit ...


The static is for the internal servers or hosts that will be accessed from the dmz.
Hope this helps.