Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ in same .248 subnet - how?

G'day folks,

I have a client with an 1811, and needs to have a DMZ.

The issue is the ISP (Videotron - Quebec) will only provide a single subnet for additional IP's.

My network guy isn't sure if it's possible to code the Cisco to do a DMZ that's on the same .248 subnet as the WAN IP.

Does anyone have any code snippets they can share, or even know if this is possible?

Thanks,

David

9 REPLIES
Hall of Fame Super Silver

Re: DMZ in same .248 subnet - how?

David

I have seen some implementations that achieve pretty much the functionality that you describe. They configure the subnet (.248 or whatever) on the LAN interface (perhaps DMZ in your case) and conigure ip unnumbered on the serial interface. Would that work for your client?

HTH

Rick

New Member

Re: DMZ in same .248 subnet - how?

Hi Rick,

This may work. We'll have to try it to find out.

Thanks,

David

New Member

Re: DMZ in same .248 subnet - how?

Hi David,

You could create subinterfaces, one of them being the local lan and the other the DMZ. Then static NAT a couple of the spare addresses into private addresses on your DMZ. Mind you, you must create a trunk to your switch in this scenario (either isl or 802.1q).

Regards,

Andres

New Member

Re: DMZ in same .248 subnet - how?

Thanks for the suggestion, but this requires Videotron change how they deliver the service, which they won't do (I'm actually calling them again to plead my case).

New Member

Re: DMZ in same .248 subnet - how?

There is simple way u cud do this

1.Split the /29 into two /30s and use one for ur WAN and the other for ur LAN (u may nat if multiple systems are connected to LAN)

New Member

Re: DMZ in same .248 subnet - how?

Thanks for the reply. Unfortunately, this gets to the heart of the issue - Videotron won't change how they deliver additional IP addresses - i.e. We can only get a single subnet.

Green

Re: DMZ in same .248 subnet - how?

I'm not sure you understood the previous post. You can take your /29 (.248) and create 2 networks - 2 /30 (.252) networks. For example if you had 1.1.1.0-1.1.1.7 /29, you can split it in half and would have 1.1.1.0-1.1.1.3 /30 and 1.1.1.4-1.1.1.7 /30.

ip address outside 1.1.1.1 netmask 255.255.255.252

ip address DMZ 1.1.1.5 netmask 255.255.255.252

OR

ip address outside 1.1.1.1 netmask 255.255.255.252

ip address DMZ 192.168.1.1 netmask 255.255.255.0

static (DMZ,outside) 1.1.1.5 192.168.1.2 netmask 255.255.255.255

New Member

Re: DMZ in same .248 subnet - how?

Ah - I see what you're saying.

This could solve the issue, but unfortunately we're only needing 2 static IP's (1 WAN and 1 DMZ) and Videotron will only provide them as the first 2 usable IP's in a .248 subnet, which puts both of them in the 1st half of your equation.

Videotron charges $20 PER MONTH per additinal IP as well - absolutely ridiculous. I'd move the client to DSL in a heartbeat, but they're too far from the C.O. - hence Videotron.

Hall of Fame Super Silver

Re: DMZ in same .248 subnet - how?

David

If the ip unnumbered works I believe that it would be the optimum solution. Configuration of ip unnumbered is supported on point to point interfaces (and in some releases on a VLAN subinterface). I do not know whether you would be able to do that with Videotron.

If the ip unnumbered does not work, based on the additional information that you have provided I believe that there may be another potential solution to consider. Perhaps you could configure the subnet on your outbound interface and then configure address translation so that the second address that you want to use gets translated to some address for the device on your inside interface.

HTH

Rick

445
Views
0
Helpful
9
Replies