    I'm trying to figure out how to configure NAT on a stick on a Cisco 2811. The problem here is that I have 3 interfaces and I'm trying to create a DMZ. This DMZ needs to be accessible from the outside by static IP translation, from the inside by either outside IP addresses or DMZ addresses (if using the outside IP address, it needs to respond with the outside IP address and not the inside IP address)and needs to be accessible from out satellite offices.

    I have thought about changing the DNS but that would mess up our satellite offices, as we only have one DNS server in our main office. I also thought about adding an entry into the hosts file but we have a lot of traveling users and laptop users so we'd be changing the hosts files twice a day.

    Can anyone help me figure this out?


    How does your satellite office connect back to your main office?

    For the internal users, you can use split brain DNS to get to your DMZ servers (configure internal DNS server with DMZ IPs for the DNS entries you use on the outside as well).
    For external users, setup your Static IP NAT translation to your DMZ IPs like you normally would, setup the proper ACL, open the appropriate ports to the DMZ servers, and setup your external DNS records to point to the public IPs that translate to the DMZ IPs.
    The only question left is how to get your satellite offices working. Answer the very first question should give us a better idea on how to get this working.


      The satellite offices connect back through isakmp vpn tunnels. Also, we have only one DNS server so, unless there's a way to allow DMZ traffic through the VPN also, doing a split DNS won't work.