Routing Issue between the same ip subnets

Unanswered Question
Jun 22nd, 2008

Hi Team,

Firewall outside interface network ip addresses are overlaps with the DMZ ip addresses. How to overcome this issue.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hennigan Sun, 06/22/2008 - 14:42

Are the DMZ and firewall MPLS interface networks identical in terms of subnet and mask?

This sounds like your MPLS provider has provided you with a subnet and you want to insert a firewall between that subnet and the resources on the DMZ, correct?

The logical options are:

1: Work with your MPLS vendor to assign a /30 network solely for the link between your ASA and their CE router. Have them route the 172.x network to you. Renumber your firewall interface towards the MPLS cloud with their assigned interface out of the /30.

2: Renumber your DMZ resources to something not in conflict with the MPLS subnet and use NAT.

Other, generally ugly possibilities include bridging and some awful NAT hacks that aren't likely to scale.

An enterprise-wide IP assignment policy can help to avoid this in the first place but you often get into a jam with mergers with other companies having overlapping RFC1918 space.

CSCO10847039 Mon, 06/23/2008 - 20:48

Hi,

Thanks for your reply.Sorry for missing some points in my previous mail.

MPLS interface is having different ip range.

we are accessing almost all 140 site using this MPLS link.In that 140 site,

at the max we are having 10 site with 172.X range. R

Remaing are different.And coming to the DMZ zone all the IP addresses in the DMZ zone are

172.X range. Now problem for ours is when even the inside user is try to access the 172.X

ranges ip address which are in MPLS zone they are unable to access and they not wven able to

ping that ip addresses also.

But the same ip i am able to ping from MPLS router,but not from the inside network

I think YOu got my point.

Awaiting for your reply.

hennigan Tue, 06/24/2008 - 19:29

The best and most scalable solution would be to renumber the resources in the DMZ to a different subnet, and to institute an IP assignment plan to avoid future duplication.

Actions

This Discussion