• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 186
  • Last Modified:

Is it possible to set up a second DMZ?

I just received another block of ip addresses to put on our dmz and i'm not sure how to do that?  I'm almost through the CCNA book though:)!

Can anyone help?  I would like to do through the PDM if possible.  I was looking trying to figure it out and thought it should go in the Host/Networks tab, but not sure where to add it?

Any help is much appreciated!  

Thank you!
2 Solutions
Keith AlabasterCommented:
What is your firewall and IOS version? How many ports does it have?
>I would like to do through the PDM if possible.
Sounds like a PIX. As Keith suggested, please post details of which PIX model and what version OS it's running.
Generally, you simply need to confirm with the ISP that this new block of IP addresses will be routed to your current public IP address.
Once this block of IP's is routed to you, you simply create new static xlates or global pools on the pix.
If these are simply additional IP's that are in the same IP subnet as your outside interface, then you just create new static xlates, or add these IP's to the global xlate pool.
For what purpose did you order these additional IP addresses?
Do you have a router out in front of the PIX, or how does your WAN access come in? Is it DSL, T1, or what?
cas_threeAuthor Commented:
I'm sorry for not giving the equipment and version.  It is a Cisco PIX 515E, version 6.3(4).

This block of IP's are being routed to us.  They are not on the same subnet as the other block if ip's on our dmz interface.

We are putting a linux box on our dmz, that was the purpose of getting additional ip's.

We have a router that was provided by our ISP, it's a bonded copper line.

I hope this helps!

Thank you!
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

It sort of depends on how this block of IP's are being routed to you.
The router provided by the ISP is the key. Is the ISP routing this block to the router, or directly to your PIX IP?
Are you using public IP's on your DMZ, or using static NAT mapping private/public for the DMZ?
And you want to add a Linux box to the same DMZ interface, but on a different subnet?
I could be more help if I saw the PIX config (mask enough of your public IP to be safe, but not so much that we can't tell the uniqueness....
If you just received a new ip block you can create static translations between the dmz and the outside and you can translate the traffic from the outside to the server on the DMZ. If you prefer to assign the public ips to servers on the DMZ and still be able to reach it from the outside using those ips then you can create a self translation for the subnet, for example:
static (dmz,outside) netmask
then you create the access lists to allow the traffic to the servers and apply them on the outside.

If you want to use private ips on the DMZ then the mapping will be from public to private.

Let me know if this is clear.
cas_threeAuthor Commented:
Called Cisco and this is not possible since.
With enough information anything is possible. Asker did not provide enough information.
Cisco TAC looks at a problem from a very narrow viewpoint.

Delete is fine with me.


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now