DMZ public IP?

Unanswered Question
May 26th, 2009

I have seen postings, and heard of cases where people actually assign public IPs to servers sitting in a DMZ behind a firewall. My question is, if you only have one IP block(say a /29), how can you do this? I understand if you either 1-1 NAT or PAT from outside to DMZ, but how can you have an actual public IP on a server behind the DMZ on the ASA, on the same subnet as the outside interface?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 05/26/2009 - 12:27

Charles

"how can you have an actual public IP on a server behind the DMZ on the ASA, on the same subnet as the outside interface?"

You can't unless you run the firewall in transparent mode. When people use public IP's in the DMZ they generally have a separate subnet for the DMZ.

Note you could split your /29 into 2 /30's but you would only 2 addresses then in each subnet.

Jon

ryancolson Tue, 05/26/2009 - 12:34

so when people put the actual public IP on a server in the DMZ, the DMZ is generlaly outside the firewall?

Jon Marshall Tue, 05/26/2009 - 12:37

Not necessarily. They might well have a different subnet for the DMZ ie.

195.17.17.0 255.255.255.252 could be used for the outside.

Your ISP then allocates you another range -

195.18.18.0 255.255.255.248

so you could then use this subnet for your DMZ.

But if your ISP only allocates you

195.18.18.0 255.255.255.248

you can't have 195.18.18.x address on both the outside interface and on the DMZ.

Jon

darkbeatzz Wed, 05/27/2009 - 01:46

You can have servers in your network with a public IP from your range but they would be patched directly to your outside switch

Actions

This Discussion