cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
933
Views
0
Helpful
9
Replies

DMZ in same .248 subnet - how?

plustechnology
Level 1
Level 1

G'day folks,

I have a client with an 1811, and needs to have a DMZ.

The issue is the ISP (Videotron - Quebec) will only provide a single subnet for additional IP's.

My network guy isn't sure if it's possible to code the Cisco to do a DMZ that's on the same .248 subnet as the WAN IP.

Does anyone have any code snippets they can share, or even know if this is possible?

Thanks,

David

9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

David

I have seen some implementations that achieve pretty much the functionality that you describe. They configure the subnet (.248 or whatever) on the LAN interface (perhaps DMZ in your case) and conigure ip unnumbered on the serial interface. Would that work for your client?

HTH

Rick

HTH

Rick

Hi Rick,

This may work. We'll have to try it to find out.

Thanks,

David

avillalva
Level 1
Level 1

Hi David,

You could create subinterfaces, one of them being the local lan and the other the DMZ. Then static NAT a couple of the spare addresses into private addresses on your DMZ. Mind you, you must create a trunk to your switch in this scenario (either isl or 802.1q).

Regards,

Andres

Thanks for the suggestion, but this requires Videotron change how they deliver the service, which they won't do (I'm actually calling them again to plead my case).

jarvar832004
Level 1
Level 1

There is simple way u cud do this

1.Split the /29 into two /30s and use one for ur WAN and the other for ur LAN (u may nat if multiple systems are connected to LAN)

Thanks for the reply. Unfortunately, this gets to the heart of the issue - Videotron won't change how they deliver additional IP addresses - i.e. We can only get a single subnet.

I'm not sure you understood the previous post. You can take your /29 (.248) and create 2 networks - 2 /30 (.252) networks. For example if you had 1.1.1.0-1.1.1.7 /29, you can split it in half and would have 1.1.1.0-1.1.1.3 /30 and 1.1.1.4-1.1.1.7 /30.

ip address outside 1.1.1.1 netmask 255.255.255.252

ip address DMZ 1.1.1.5 netmask 255.255.255.252

OR

ip address outside 1.1.1.1 netmask 255.255.255.252

ip address DMZ 192.168.1.1 netmask 255.255.255.0

static (DMZ,outside) 1.1.1.5 192.168.1.2 netmask 255.255.255.255

Ah - I see what you're saying.

This could solve the issue, but unfortunately we're only needing 2 static IP's (1 WAN and 1 DMZ) and Videotron will only provide them as the first 2 usable IP's in a .248 subnet, which puts both of them in the 1st half of your equation.

Videotron charges $20 PER MONTH per additinal IP as well - absolutely ridiculous. I'd move the client to DSL in a heartbeat, but they're too far from the C.O. - hence Videotron.

David

If the ip unnumbered works I believe that it would be the optimum solution. Configuration of ip unnumbered is supported on point to point interfaces (and in some releases on a VLAN subinterface). I do not know whether you would be able to do that with Videotron.

If the ip unnumbered does not work, based on the additional information that you have provided I believe that there may be another potential solution to consider. Perhaps you could configure the subnet on your outbound interface and then configure address translation so that the second address that you want to use gets translated to some address for the device on your inside interface.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco