Is it possible to set up a second DMZ?

Posted on 2006-05-24
Last Modified: 2010-04-08
I just received another block of ip addresses to put on our dmz and i'm not sure how to do that?  I'm almost through the CCNA book though:)!

Can anyone help?  I would like to do through the PDM if possible.  I was looking trying to figure it out and thought it should go in the Host/Networks tab, but not sure where to add it?

Any help is much appreciated!  

Thank you!
Question by:cas_three
    LVL 51

    Expert Comment

    by:Keith Alabaster
    What is your firewall and IOS version? How many ports does it have?
    LVL 79

    Expert Comment

    >I would like to do through the PDM if possible.
    Sounds like a PIX. As Keith suggested, please post details of which PIX model and what version OS it's running.
    Generally, you simply need to confirm with the ISP that this new block of IP addresses will be routed to your current public IP address.
    Once this block of IP's is routed to you, you simply create new static xlates or global pools on the pix.
    If these are simply additional IP's that are in the same IP subnet as your outside interface, then you just create new static xlates, or add these IP's to the global xlate pool.
    For what purpose did you order these additional IP addresses?
    Do you have a router out in front of the PIX, or how does your WAN access come in? Is it DSL, T1, or what?

    Author Comment

    I'm sorry for not giving the equipment and version.  It is a Cisco PIX 515E, version 6.3(4).

    This block of IP's are being routed to us.  They are not on the same subnet as the other block if ip's on our dmz interface.

    We are putting a linux box on our dmz, that was the purpose of getting additional ip's.

    We have a router that was provided by our ISP, it's a bonded copper line.

    I hope this helps!

    Thank you!
    LVL 79

    Accepted Solution

    It sort of depends on how this block of IP's are being routed to you.
    The router provided by the ISP is the key. Is the ISP routing this block to the router, or directly to your PIX IP?
    Are you using public IP's on your DMZ, or using static NAT mapping private/public for the DMZ?
    And you want to add a Linux box to the same DMZ interface, but on a different subnet?
    I could be more help if I saw the PIX config (mask enough of your public IP to be safe, but not so much that we can't tell the uniqueness....
    LVL 3

    Assisted Solution

    If you just received a new ip block you can create static translations between the dmz and the outside and you can translate the traffic from the outside to the server on the DMZ. If you prefer to assign the public ips to servers on the DMZ and still be able to reach it from the outside using those ips then you can create a self translation for the subnet, for example:
    static (dmz,outside) netmask
    then you create the access lists to allow the traffic to the servers and apply them on the outside.

    If you want to use private ips on the DMZ then the mapping will be from public to private.

    Let me know if this is clear.

    Author Comment

    Called Cisco and this is not possible since.
    LVL 79

    Expert Comment

    With enough information anything is possible. Asker did not provide enough information.
    Cisco TAC looks at a problem from a very narrow viewpoint.

    Delete is fine with me.


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now