Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two different subnets on one interface of the firewall

Hi,

I have the following network with a firewall in a cable environment.

PC----CM----CM----INSIDE----------OUTSIDE

|

|

|

|

DMZ

The IP Setup lokks like this:

PC: 172.x.x.x/255.0.0.0

CM: 10.x.x.x./255.255.255.0

INSIDE: 10.0.0.1/255.255.255.0

OUTSIDE: www.xxx.yyy.zzz

DMZ: 192.168.x.x/255.255.255.0

In the DMZ Zne I have a DHCP Server which provides IP Adresses for the CM and PC. This already works fine.

Now I want to reach the DMZ Network from the PC behind the CM (cable modem). As a Gateway on the PC I used an IP Adrress within the 172.x.x.x subnet. But I dont know how to setup static routes correctly to reach the DMZ subnet?

I have no more routers in my network except the firewall itself. I know that the firewall is no router but to do static routing it should be just fine to do it here.

Please help me with the following questions?

1. How is it possible to reach the DMZ subnet from the PC subnet with static routes?

2. Do I actually need static routes to reach the DMZ subnet?

3. How are static routes on the firewall should look like (maybe you could help me with an example)?

Thanks in advance.

Daniel

4 REPLIES
Gold

Re: Two different subnets on one interface of the firewall

please excuse me for not being able to understand the topology, in particular i am not so sure where the pix is.

New Member

Re: Two different subnets on one interface of the firewall

Hi,

I'm sorry about that, but I didn't know the editor here don't show leading spaces. So thatswhy the lines where not correctly. I added an jpeg with my network layout to this post. Maybe this will help much better to understand.

Thanks for the reply and hopefully you have some suggestions to my problem described.

I appreciate your help.

Daniel

Re: Two different subnets on one interface of the firewall

No, you do not need staic routes to reach your DMZ Server. Just be sure that the PIX is the default gateway.

You need to diable NAT (Network address translation) on the PIX between the inside network and the DMZ.

To connect to your DMZ server you then use the private IP's. = 192.168.0.5

If you want to access from the the dmz server to the inside PC's you need to configure an access-list on the dmz interface that allows the DMZ Server to estabish connections to the inside PC's. But all connections (replies) from the PC's to the DMZ server will work without an access-list.

example:

static (inside,dmz) InsideNetwork InsideNetwork netmask 255.255.255.0

sincerely

Patrick

New Member

Re: Two different subnets on one interface of the firewall

Thanks for the reply. It sounds logical what you say, but how is it possible to reach a subnet 192.x.x.x from a totally different subnet where the PC is located 172.x.x.x.

What I have now is a PC behind the cable modem in the subnet 172.x.x.x

Even when I put the PIX Interface 10.0.0.1 as the default gateway for the PC I can not reach the subnet 192.x.x.x.

I even can not ping.

The part of my config looks like this:

interface Ethernet0/0

nameif outside

security-level 0

ip address 212.122.40.49 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 50

ip address 10.0.0.1 255.0.0.0

!

interface Ethernet0/2

nameif dmz

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

access-list outside_access_in extended permit icmp any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list dmz_access_in extended permit icmp any any

access-list dmz_access_in extended permit tcp any any

access-list dmz_access_in extended permit udp any any

global (outside) 100 212.122.40.50

global (inside) 200 10.0.0.20-10.0.0.30

nat (dmz) 100 10.0.0.0 255.0.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route inside 0.0.0.0 0.0.0.0 212.122.40.51 1

On the side of my PC behind the cable modem I have the following configuration.

IP: 172.0.0.1/255.255.255.0

Gateway: 10.0.0.1 (Interface of the PIX connected to the cable modem)

The CMTS actually does just DHCP Relay via a Relay Agent. But the CMTS does not route anything. It is just working as a bridge.

Maybe you can give me a hint to solve this problem. What I want in the first step is to ping from the PC (subnet 172.x.x.x) to the DHCP Server (subnet 192.x.x.x) via the firewall.

Thanks in advance.

Daniel

231
Views
0
Helpful
4
Replies