Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMZ network overlap issue

Dear all,

I have a PIX 515e with 3 interfaces (LAN, DMZ, Internet). The DMZ is on a 10.0.0.0/8 network, which is now causing issues when packets that want to go out of our Internet interface need to talk to other 10.0.0.0 addresses (this interface is not directly attached to the Internet, so 10.0.0.0 are routable).

Is it possible to set-up the PIX so that it doesn't try route all 10.0.0.0 traffic out of the DMZ int ?

I have tried configuring static routes pointing to the 10.0.0.0 on the internet int but this does not seem to work - any ideas ?

Thanks,

Simon.

3 REPLIES
Silver

Re: DMZ network overlap issue

Let me guess, you have the following command on your config:

static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

If this true?

If yes, you´re thinking wrong and have to re-config your PIX

If no, you most likely have a overlapping NAT statement somewhere in your config.

It will help if you post your config and explain some more detail on what you try to achieve.

Kind Regards,

Leo

New Member

Re: DMZ network overlap issue

Simon:

When you added the statics for the other 10.0.0.0 networks did you use a netmask other than /8? If so, the PIX should have chosen the more specific route and forwarded traffic accordingly. If you used an 8-bit netmask on the static routes, the PIX will still forward traffic destined for the 10.0.0.0 networks out of the connected interface.

Are all of your 10.0.0.0 networks configured with an 8-bit netmask? If so, then it sounds like you may have discontiguous address space configured. Basically, because you're using an 8-bit netmask on your DMZ network, the PIX thinks that any IP address that has 10 as it's first octet can be found on that connected interface. Is it possible to change the netmask on your DMZ network to something other than a /8 - like using a 16-bit or 24-bit netmask? That way, traffic destined for your DMZ network will get forwarded to that interface, all other traffic should get forwarded out of your Internet interface by your default route.

Hope this helps!

Rich

New Member

Re: DMZ network overlap issue

Rich (and all),

Thanks for all the info.

Instead of altering the netmask of the DMZ 10.0.0.0 network, I have configured a couple of static routes that point to the outside 10.0.0.0 networks.

We have also had to re-hash the translation exemption rules, as they were originally configured to allow private LAN addresses straight through to the DMZ without going through the NAT process. This seemed to cause issues when inside addresses wanted to go out, via NAT, to the outside world i.e. they had a statement that said No NAT to DMZ, as well as one that said NAT to outside world.

Anyway, seems to work now.

Cheers,

Simon.

108
Views
0
Helpful
3
Replies
CreatePlease to create content