Your company has a border router (R2) that is connected to two partner companies: Partner-DB (R1) providing database services and Partner-APP (R3) providing different application services to your web servers in DMZ (
R2 is also used to perform NAT between internal LAN (fa1/1 = ip nat inside) and the ISP (fa1/2 = ip nat outside). At this moment there is not NAT configured on DMZ interface (fa1/0) and the 2 connections to the partners (R1 & R3).

Currently, your web server in DMZ ( can connect to both DB (R1) and APP (R3) and it does not need any NAT.

After short time, a new requirement appear: the two partners, DB and APP, requires connectivity between themselves, via your router R2... but both of them share the same internal addressing ( and their border routers (R1 and R3) do not have NAT capabilities.

You have been requested to make the connectivity between R1 and R3 and since you have unused addresses in your public DMZ range ( you suggest the following solution:

  • Partner-DB (R1) / will be translated to, only when going to other partner
  • Partner-APP (R3) / will be translated to, only when going to other partner

How could you do this,
considering that you cannot enable NAT on the DMZ interface (since this will break other production services in DMZ) !

Post your answer in the 'Comments' section below and subscribe to this blog to get the detailed solution and more interesting quizzes.