ASA - overlapping IP ranges on outside and dmz interfaces

Unanswered Question
Feb 1st, 2010


Cisco ASA question,
if I can carve small range of global IP addresses from big IP range that exists on outside and put this small range to dmz interface?.

The task is to have a few servers assigned global IP but have them behind a firewall so we can control traffic towards them.
Well, apparently it is doable,wondering if there are any drawbacks with that?

10.x.x.x it this test represent globally routable IP addresses from ISP

Three-interface ASA used for testing in the LAB:
Outside: / 22
Dmz: / 28   <- within "outside" ip range
Inside: / 24

global (dmz,outside) netmask
global (inside,outside) netmask,

there are hosts .250 connected on inside and dmz to hangle traffic.

+ Access list "in" on outside permitting everithing to everything
+ nat-control

ASA takes configuring "overlapping" ip ranges on Outside and DMZ without warning and
I can access and successfully from outside

I was changing the mask on outside interface from /8 to /23, and as far as the network appears to "outside world" as part of "ASA controlled" range and traffic comes to ASA - everything works fine.

Router would not allow me to configure overlapping ranges, ASA does allow and able to pass traffic, which is good.
Basically the question becomes, is it a bug or a feature?

Thank you,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kent Heide Tue, 02/02/2010 - 05:11

Use whatever subnet you wish on the DMZ physically and then you use STATICS to map the addresses to the global pool. Like this.

# Interfaces




# Maps the local server address to the outside address of

static(DMZ,Outside) netmask

a.gesse Tue, 02/02/2010 - 06:45

It is possible to use any addresses on DMZ with proper Static statement, that's right
But my task is to have DMZ with global addresses, (for Microsoft OCS).

I can buy extra range (different from what I have on outside) and put on DMZ. That would work but require extra money.
Or I can use a small range from my existing /22 range on outside interface, and aparently i don't have to change mask on outside.

ASA accepts having overlapping IP ranges on outside and DMZ interfaces, unlike a router.

What the honourable society of cisco asa users thinks about doing that?


Kent Heide Tue, 02/02/2010 - 07:46

What is the specific reason to as why static will not be the solution for you?

a.gesse Tue, 02/02/2010 - 08:19

Well, static is still in use, but it is like that, Global IP from DMZ is mapped to itself on Outside:

static (dmz,outside) netmask

Translations are working fine

My concern is if having overlapping IP spaces on ASA may cause any problem or reduce other functionality


Kent Heide Tue, 02/02/2010 - 08:54

What you are doing there is called an identity NAT. It's basically an exempt if you wish. What is the problem with using a static for translating a local DMZ address to the address you wish to use on the outside interface for the OCS?


This Discussion