03-06-2007 01:30 PM - edited 03-03-2019 04:03 PM
G'day folks,
I have a client with an 1811, and needs to have a DMZ.
The issue is the ISP (Videotron - Quebec) will only provide a single subnet for additional IP's.
My network guy isn't sure if it's possible to code the Cisco to do a DMZ that's on the same .248 subnet as the WAN IP.
Does anyone have any code snippets they can share, or even know if this is possible?
Thanks,
David
03-06-2007 01:38 PM
David
I have seen some implementations that achieve pretty much the functionality that you describe. They configure the subnet (.248 or whatever) on the LAN interface (perhaps DMZ in your case) and conigure ip unnumbered on the serial interface. Would that work for your client?
HTH
Rick
03-07-2007 06:09 AM
Hi Rick,
This may work. We'll have to try it to find out.
Thanks,
David
03-06-2007 09:59 PM
Hi David,
You could create subinterfaces, one of them being the local lan and the other the DMZ. Then static NAT a couple of the spare addresses into private addresses on your DMZ. Mind you, you must create a trunk to your switch in this scenario (either isl or 802.1q).
Regards,
Andres
03-07-2007 06:19 AM
Thanks for the suggestion, but this requires Videotron change how they deliver the service, which they won't do (I'm actually calling them again to plead my case).
03-07-2007 01:07 AM
There is simple way u cud do this
1.Split the /29 into two /30s and use one for ur WAN and the other for ur LAN (u may nat if multiple systems are connected to LAN)
03-07-2007 06:17 AM
Thanks for the reply. Unfortunately, this gets to the heart of the issue - Videotron won't change how they deliver additional IP addresses - i.e. We can only get a single subnet.
03-07-2007 06:48 AM
I'm not sure you understood the previous post. You can take your /29 (.248) and create 2 networks - 2 /30 (.252) networks. For example if you had 1.1.1.0-1.1.1.7 /29, you can split it in half and would have 1.1.1.0-1.1.1.3 /30 and 1.1.1.4-1.1.1.7 /30.
ip address outside 1.1.1.1 netmask 255.255.255.252
ip address DMZ 1.1.1.5 netmask 255.255.255.252
OR
ip address outside 1.1.1.1 netmask 255.255.255.252
ip address DMZ 192.168.1.1 netmask 255.255.255.0
static (DMZ,outside) 1.1.1.5 192.168.1.2 netmask 255.255.255.255
03-07-2007 06:53 AM
Ah - I see what you're saying.
This could solve the issue, but unfortunately we're only needing 2 static IP's (1 WAN and 1 DMZ) and Videotron will only provide them as the first 2 usable IP's in a .248 subnet, which puts both of them in the 1st half of your equation.
Videotron charges $20 PER MONTH per additinal IP as well - absolutely ridiculous. I'd move the client to DSL in a heartbeat, but they're too far from the C.O. - hence Videotron.
03-07-2007 07:15 AM
David
If the ip unnumbered works I believe that it would be the optimum solution. Configuration of ip unnumbered is supported on point to point interfaces (and in some releases on a VLAN subinterface). I do not know whether you would be able to do that with Videotron.
If the ip unnumbered does not work, based on the additional information that you have provided I believe that there may be another potential solution to consider. Perhaps you could configure the subnet on your outbound interface and then configure address translation so that the second address that you want to use gets translated to some address for the device on your inside interface.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: