Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ, NAT/Global design question

I have some servers on our inside network that have a secondary NIC for replication and failover purposes.

This secondary NIC on the inside servers is in it's own seperate VLAN (10.10.10.x).

We need to add this set up to a couple of DMZ servers.

I want to put the secondary NIC also behind the firewall to keep all interfaces on the DMZ servers secure.

My questions are:

Can I put the secondary NIC that will be on the DMZ interface of the firewall in the same subnet as the inside VLAN that the other servers are in?

(There are no interrfaces on the firewall in the VLAN)

I am thinking I should be able to do that technically, but is it acceptable?

Is there any benifit to putting the DMZ in an entirely different subnet ( and NATing to the subnet from the inside interface?

Hall of Fame Super Blue

Re: DMZ, NAT/Global design question

Hi Wilson

Technically yes you can do this but it would be helpful to understand a little more.

When you say failover how does this work. If the secondary Nic is in a totally different subnet how does the failover work ??


New Member

Re: DMZ, NAT/Global design question

Thanks jon,

The failover works by failing over to an entirely different server in the DR site, that part is already taken care of.

The secondary NIC is to make sure the data is replicating I believe.

The only thing I am concerned about is to make sure the server in the HQ side can communicate with the server in the DR side on the second logical interface.

They do not HAVE to be in the same VLAN, but it would be nice for organizational purposes.

We have several servers on the inside already in an existing VLAN and I was thinking we could keep the logical interface on the DMZ in the same VLAN.

Everything is in it's own seperate VLAN here, including the firewall inside interfaces, so everything is routed from the core switches via the SVI.

So the default gatway for the vlan is on the core switch.

On the firewall, I would just route the network to the inside.

If I set up a static NAT to the logical interface DMZ,in the same subnet as the NICs for the servers on the inside network, I will have to put a static route in the core switches to those hosts, and the next hop will be the PIX inside interface (

Does that sound right?

Hall of Fame Super Blue

Re: DMZ, NAT/Global design question


Couple of things

1) If you connect the secndary NIC to an internal vlan which is routed off the core switch then you have in effect bypassed your firewall ie. If somebody could gain access to one of those DMZ servers they would have a direct route into your network.

2) Sorry to be a bit slow but it's been a long day :). I'm not sure why you would need a static NAT if you place the DMZ NIC's into the same internal subnet. If you do place them in the same internal subnet 10.10.10.x then traffic from the core switch will just get switched to these servers ie. it won't go via the firewall inside interface.

I think i may have misunderstood your last point, if so please clarify.


Hall of Fame Super Blue

Re: DMZ, NAT/Global design question

Hi Wilson

Is this problem sorted ?


New Member

Re: DMZ, NAT/Global design question

Yes jon,

It is in place and working.

Thanks for the help

CreatePlease login to create content