DMZ public IP?

Unanswered Question
May 26th, 2009
User Badges:

I have seen postings, and heard of cases where people actually assign public IPs to servers sitting in a DMZ behind a firewall. My question is, if you only have one IP block(say a /29), how can you do this? I understand if you either 1-1 NAT or PAT from outside to DMZ, but how can you have an actual public IP on a server behind the DMZ on the ASA, on the same subnet as the outside interface?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 05/26/2009 - 12:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Charles


"how can you have an actual public IP on a server behind the DMZ on the ASA, on the same subnet as the outside interface?"


You can't unless you run the firewall in transparent mode. When people use public IP's in the DMZ they generally have a separate subnet for the DMZ.


Note you could split your /29 into 2 /30's but you would only 2 addresses then in each subnet.


Jon

ryancolson Tue, 05/26/2009 - 12:34
User Badges:

so when people put the actual public IP on a server in the DMZ, the DMZ is generlaly outside the firewall?

Jon Marshall Tue, 05/26/2009 - 12:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Not necessarily. They might well have a different subnet for the DMZ ie.


195.17.17.0 255.255.255.252 could be used for the outside.


Your ISP then allocates you another range -


195.18.18.0 255.255.255.248


so you could then use this subnet for your DMZ.


But if your ISP only allocates you


195.18.18.0 255.255.255.248


you can't have 195.18.18.x address on both the outside interface and on the DMZ.


Jon

darkbeatzz Wed, 05/27/2009 - 01:46
User Badges:

You can have servers in your network with a public IP from your range but they would be patched directly to your outside switch

Actions

This Discussion