DMZ in same .248 subnet - how?

Unanswered Question
Mar 6th, 2007

G'day folks,

I have a client with an 1811, and needs to have a DMZ.

The issue is the ISP (Videotron - Quebec) will only provide a single subnet for additional IP's.

My network guy isn't sure if it's possible to code the Cisco to do a DMZ that's on the same .248 subnet as the WAN IP.

Does anyone have any code snippets they can share, or even know if this is possible?

Thanks,

David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Tue, 03/06/2007 - 13:38

David

I have seen some implementations that achieve pretty much the functionality that you describe. They configure the subnet (.248 or whatever) on the LAN interface (perhaps DMZ in your case) and conigure ip unnumbered on the serial interface. Would that work for your client?

HTH

Rick

avillalva Tue, 03/06/2007 - 21:59

Hi David,

You could create subinterfaces, one of them being the local lan and the other the DMZ. Then static NAT a couple of the spare addresses into private addresses on your DMZ. Mind you, you must create a trunk to your switch in this scenario (either isl or 802.1q).

Regards,

Andres

plustechnology Wed, 03/07/2007 - 06:19

Thanks for the suggestion, but this requires Videotron change how they deliver the service, which they won't do (I'm actually calling them again to plead my case).

jarvar832004 Wed, 03/07/2007 - 01:07

There is simple way u cud do this

1.Split the /29 into two /30s and use one for ur WAN and the other for ur LAN (u may nat if multiple systems are connected to LAN)

plustechnology Wed, 03/07/2007 - 06:17

Thanks for the reply. Unfortunately, this gets to the heart of the issue - Videotron won't change how they deliver additional IP addresses - i.e. We can only get a single subnet.

acomiskey Wed, 03/07/2007 - 06:48

I'm not sure you understood the previous post. You can take your /29 (.248) and create 2 networks - 2 /30 (.252) networks. For example if you had 1.1.1.0-1.1.1.7 /29, you can split it in half and would have 1.1.1.0-1.1.1.3 /30 and 1.1.1.4-1.1.1.7 /30.

ip address outside 1.1.1.1 netmask 255.255.255.252

ip address DMZ 1.1.1.5 netmask 255.255.255.252

OR

ip address outside 1.1.1.1 netmask 255.255.255.252

ip address DMZ 192.168.1.1 netmask 255.255.255.0

static (DMZ,outside) 1.1.1.5 192.168.1.2 netmask 255.255.255.255

plustechnology Wed, 03/07/2007 - 06:53

Ah - I see what you're saying.

This could solve the issue, but unfortunately we're only needing 2 static IP's (1 WAN and 1 DMZ) and Videotron will only provide them as the first 2 usable IP's in a .248 subnet, which puts both of them in the 1st half of your equation.

Videotron charges $20 PER MONTH per additinal IP as well - absolutely ridiculous. I'd move the client to DSL in a heartbeat, but they're too far from the C.O. - hence Videotron.

Richard Burts Wed, 03/07/2007 - 07:15

David

If the ip unnumbered works I believe that it would be the optimum solution. Configuration of ip unnumbered is supported on point to point interfaces (and in some releases on a VLAN subinterface). I do not know whether you would be able to do that with Videotron.

If the ip unnumbered does not work, based on the additional information that you have provided I believe that there may be another potential solution to consider. Perhaps you could configure the subnet on your outbound interface and then configure address translation so that the second address that you want to use gets translated to some address for the device on your inside interface.

HTH

Rick

Actions

This Discussion