1760 DMZ Routing Question

Posted on 2005-04-11
Medium Priority
Last Modified: 2012-08-14
Got a few questions on whether a few things are possible.

Our IP space is currently being renumbered to a /24 and we are looking to establish a firewalled DMZ rather than the completely open DMZ that is their now.

Currently installed is a Cisco 1721 from our ISP that connects to our 1760.  I'm wondering if its possible to use the Cisco 4 Port Ethernet Interface and basically setup just 1 port on it to connect to a switch to be used as the DMZ.

Next the ISP assigned the /24 to the inside interface of their router which we can't control.  Is there to subnet that /24 so 1 IP goes to the Public interface of the 1760 and the rest goes to the DMZ Port of the 1760 without having the ISP reconfigure their router to use a different mask on their inside interface?
Question by:caplinktech
  • 5
  • 4
  • 3

Expert Comment

ID: 13758392

You would use NAT or PAT on the 1760 anyway to allow internet access, and any access that must happen to the internal net (discouraged, but sometimes required), and these addresses would come from the /24 natted to internal addresses. You could do the same with another ethernet port off the 1760 as the DMZ.

Set the port (a single ethernet port would do, and the WIC-1ENET is fairly cheap) on a different address range ( for example) and use NAT to translate addresses on the DMZ to real public addresses.

If you give us address examples, we could post commands. Help by giving us more info on what specifically you need next.

Author Comment

ID: 13763400
I was actually hoping to do it without NATing all the addresses.  The majority of the /24 is going to be sent to the DMZ which is why I asked if the /24 subnetted without the ISP changing their router config.

The ideal situation which I think is possible is this:

ISP .1 /29
Public Interface of my Router .2 /29
Private LAN of my Router /16
DMZ of my Router .129 /25

Then add additional smaller subnets to the DMZ interface of my Router as needed using Secondary IPs or Loopback interfaces.

Granted I think the easiest thing to do is just try to convince the ISP to give us an additional /29 allocation and then assign the whole Class C to the DMZ of our Router but I'm not sure if that will happen.

Expert Comment

ID: 13765017
Sorry. You could do that as well.

The outside just needs to know that all traffic in the /24 routes to your 1760. It can split it up or take it from there.

The above would work fine - you would NAT just the inside ranges for internet access and put all the accessible servers on the DMZ.

You would need to keep proxy arp on the 1760 (it would need to respond to arps for the /25 and higher subnets)

You would need to change the subnet mask on the 1760 to the /29.  The ISP may not need to change.

Shouldn't need an additional address space.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 28

Expert Comment

ID: 13767547
If a single interface on their router is configured for the /24 subnet then you won't be able to use that subnet anywhere other than on that interface, for 2 reasons:
1. The router normally won't let you configure more than one interface with overlapping subnets
2. If you configure a downstream router with part of it, the ISP router will never forward traffic there because it "owns" the configured address space.

Their assumption is that you are putting all of your hosts directly behind their router, which is not at all the case. What you should have them do is to change the mask of their inside interface to /29 (or /30 if you only need 2 IPs) and configure a static route pointing the /24 to your router's public interface. Then you can break up the rest of the /24 however you want.

Author Comment

ID: 13768044
Hi Mike,

I thought that was going to be a problem Mike.  I wanted it designed with /29 instead of /30 in case there is anything tha needs to be 100% unfirewalled in the future, doing it with a /29 will give us that flexibility.

Theoretically, an additional /29 is not needed correct?  They could simply change the mask to a /29 and then statistially route the other "subnets" to my router, meaning forward the .128 /25, the .64 /26, the .32 /27, the .16 /28, and the .8 /29?

Granted that isn't the best solutions since it wastes about 10 IPs for no reason but....

They also are aware that I have a router behind theirs, however they don't yet realize that I want to subnet the Class C address and route it to 2 different interfaces behind theirs.  The old /26 is currently being routed using 1 to 1 NAT all over the place which is getting increasingly inefficient as the network grows.


Accepted Solution

minmei earned 2000 total points
ID: 13768115

While Mike is correct that it would be better (more correct) to get the ISP to change, if they continue to have the /24 mask on their router you will be fine.

Any traffic to any host in that range it will think is local. It will therefore ARP for it.

As long as proxy ARP is turned on on your 1760, your router will answer the ARP and the traffric will go to it.

It will have a /29 mask so other masks will be allowed on other interfaces. It will get the traffic and forward it to the correct destinations.

Route masks do not have to match. It's better (easier to troubleshoot, simpler to explain) but that's why there are such things as proxy ARP.

If you ask them to change it, they may only route the /29 to you and drop the rest (or not route it at all).


Author Comment

ID: 13773250

Yes everything is routing correctly at the moment, I thought you method wasn't working when I responded earlier but then I realized my ACLs were applied on the outside (public) interface so that was what was stopping traffic to the DMZ port.  So everything works great in that respect, however a new issue just arose that has me confused.

First line of my ACL on Public Interface permits any traffic to a particular ip in the DMZ Port

permit tcp any host x.x.x.130

No access list on my DMZ Port, everything works fine connecting to web services.

Add the following access list inbound on the DMZ port and suddenly web services stop working.

permit tcp any any eq www
permit tcp any any eq 443

In interface:

ip access-group dmz-acl in

I have no clue why setting it up like that prevents traffic from flowing on port 80 and 443 into the DMZ.  If I change that access list to simply:

permit tcp any any

everything works again so I know the Cisco IOS is passing traffic through the first ACL and reading the second ACL, but I don't understand why the ACL that actually does something also prevents traffic from flowing in on 80 and 443 which has permit statements.  Does the first ACL do some kind of Port Translating I'm unaware of (don't know why it would)?

Expert Comment

ID: 13773314

You need to look at the command from the router's perspective.

permit tcp any any eq www

applied to the DMZ interface inbound means:

permit all traffic from any host (any port) to any host on port 80

Your web server is sending traffic (backstream from server) _from_ port 80 to whatever port they used to issue the request (could be anything)

So you would need to change it to:

permit tcp any eq www any

And likewise with the ssl port.

Make sense?
LVL 28

Expert Comment

ID: 13774311
Inbound means entering the interface. Outbound means leaving the interface. You could just make that command "ip access-group dmz-acl out" and it should work.

Minimei was correct about proxy arp, I forgot about that feature. But from a pure best practices perspective, it's a bad idea to put 2 different subnet masks on routers sharing the same link. If you ever need a dynamic routing protocol it won't work at all, and it's confusing for documenting, troubleshooting, etc. So it would still be better to make the change I suggested if you can get the ISP to do it. But in the meantime you can do what minimei suggested.

They only need one static route pointing the whole /24 at your router. Your router would then figure out what to do based on how you've configured it.

Expert Comment

ID: 13774393

I heartily agree. But idealism and real-world ISP's mostly don't mix. Unless you are going to a dual connection, dual ISP, full bgp routing protocol load balance scenario, you'll never run a routing protocol between you and the ISP.

And again, the chances of the ISP not routing the full /24 to you depends on the quality of your ISP - ours don't have a stellar track record of doing what you ask them to do correctly. And the benefit is you can change your scheme yet again if you need to and they don't have to know a thing about it.

Good call on the outbound direction. I have too many PIXes around here and forget that outbound ACL's even exist.

Author Comment

ID: 13774850
Yeah thats what I get for not thinking and just copying the data from the public interface ACL.

One last quick thing because I'm 99% the answer to this is no, but you seem highly knowledgeable in this area so I figure I'd ask.

There is no way to apply multiple access lists to any interface correct?

Like if I wanted to make 1 access list with

permit tcp any eq www any
permit tcp any eq 443 any

then another with

permit tcp any eq smtp any
permit tcp any eq pop3 any

and apply them both to an interface and allow traffic on all 4 ports to flow through?

This doesn't really pertain to my current config as their are only 3 interfaces but I started thinking about how much a pain it would be to write a bunch of redundant access lists for several interfaces if things only varied slightly, when it would be so nice to just make little "sub" access lists.
LVL 28

Expert Comment

ID: 13775267
You can only have one in and one out on any interface. You can make as many lists as you want and apply one to each interface. But there's no reason you can't put that in one list:

permit tcp any eq www host
permit tcp any eq 443 host
permit tcp any eq smtp host
permit tcp any eq pop3 host

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question