Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
3
Replies

DMZ network overlap issue

s.gilbrook
Level 1
Level 1

‎08-01-2003 05:57 AM - edited ‎03-09-2019 04:17 AM

Dear all,

I have a PIX 515e with 3 interfaces (LAN, DMZ, Internet). The DMZ is on a 10.0.0.0/8 network, which is now causing issues when packets that want to go out of our Internet interface need to talk to other 10.0.0.0 addresses (this interface is not directly attached to the Internet, so 10.0.0.0 are routable).

Is it possible to set-up the PIX so that it doesn't try route all 10.0.0.0 traffic out of the DMZ int ?

I have tried configuring static routes pointing to the 10.0.0.0 on the internet int but this does not seem to work - any ideas ?

Thanks,

Simon.

Labels:
0 Helpful
3 Replies 3

l.mourits
Level 5
Level 5

‎08-01-2003 01:23 PM

Let me guess, you have the following command on your config:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

If this true?

If yes, you´re thinking wrong and have to re-config your PIX

If no, you most likely have a overlapping NAT statement somewhere in your config.

It will help if you post your config and explain some more detail on what you try to achieve.

Kind Regards,

Leo

0 Helpful

r.crist
Level 1
Level 1

‎08-04-2003 12:35 PM

Simon:

When you added the statics for the other 10.0.0.0 networks did you use a netmask other than /8? If so, the PIX should have chosen the more specific route and forwarded traffic accordingly. If you used an 8-bit netmask on the static routes, the PIX will still forward traffic destined for the 10.0.0.0 networks out of the connected interface.

Are all of your 10.0.0.0 networks configured with an 8-bit netmask? If so, then it sounds like you may have discontiguous address space configured. Basically, because you're using an 8-bit netmask on your DMZ network, the PIX thinks that any IP address that has 10 as it's first octet can be found on that connected interface. Is it possible to change the netmask on your DMZ network to something other than a /8 - like using a 16-bit or 24-bit netmask? That way, traffic destined for your DMZ network will get forwarded to that interface, all other traffic should get forwarded out of your Internet interface by your default route.

Hope this helps!

Rich

0 Helpful

s.gilbrook
Level 1
Level 1
In response to r.crist

‎08-05-2003 01:25 AM

Rich (and all),

Thanks for all the info.

Instead of altering the netmask of the DMZ 10.0.0.0 network, I have configured a couple of static routes that point to the outside 10.0.0.0 networks.

We have also had to re-hash the translation exemption rules, as they were originally configured to allow private LAN addresses straight through to the DMZ without going through the NAT process. This seemed to cause issues when inside addresses wanted to go out, via NAT, to the outside world i.e. they had a statement that said No NAT to DMZ, as well as one that said NAT to outside world.

Anyway, seems to work now.

Cheers,

Simon.

0 Helpful
Customers Also Viewed These Support Documents