We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Cisco router - 2 interfaces on same subnet?

Medium Priority
Last Modified: 2012-05-06
At our "primary" location, our company uses access-control lists on our perimeter Cisco router to reduce all incoming traffic to just the ports required for our DMZ servers.  Inside that we use a SonicWall UTM appliance for IPS, anti-virus, etc.  (PLEASE don't get hung up on the "why" of this approach)

At a remote location, we would like to use the same approach.  However, we are prohibited from configuring the perimeter Cisco router that was provided by our ISP.  So we currently have their Cisco 2600 series router (no access-list restrictions in place at all), then the SonicWall.  Our hope is to place another Cisco 2600 series router (with access lists) between the current Cisco and the SonicWall.  Our concerns center on the routing& how to get that Cisco to pass traffic when both interfaces are within the same subnet.

The current perimeter Cisco has a public IP of x.x.x.17 (

The SonicWall interface has a public IP of x.x.x.18 (same subnet)

The SonicWall uses NAT to convert the remainder of our public addresses (.19 through .30, though only .28 through .30 are currently used) to our private addresses.

How would the Cisco "middleman" be configured to properly pass traffic between the current Cisco and the SonicWall ?
Watch Question

The router man in the middle is not viable. Can you use the SonicWall UTM to do the port access along with the NAT? The other option would be to set up the router with the old subnet on one side and a new one on the other and use it to do the NAT instead of the SonicWall UTM.
Top Expert 2009

Will the ISP make changes to their 2600 at your request?  If so, you could use a /30 (public or private) between their 2600 and your "outside" interface of the 2600.  You could then use the x.x.x.16/28 on your 2600 "inside" interface.  You could break up your public block even for the /30 between your router and theirs.  They would need to add a route to the public block via your 2600 outside interface and your 2600 would have a default route pointing to their 2600 inside interface.

If they will not make changes to their router, you can use the public block on the outside and a private subnet to match on the inside connected to the Sonicwall.  You could do a 1-1 static NAT for each public IP in the pool.  The sonicwall would NAT the private IP to the real IP of the server.

Mapping like this: - x.x.x.19 - x.x.x.20 - x.x.x.21


your both overlooking the obvious

you dont want to "route" traffic you want to "switch" traffic.

if what you want is:

ISP --- [isp's 2600] ---[your device with acl's] -- to DMZ or LAN

then you dont need to 'route'. You can use ip-less inspection (your device wont have 'routing'). It'll just have an in and an out and ACL's and zones.

Look into PIX devices.

Assuming you cannot have the ISP change config of their router (to use a /30 and route a _different_ subnet to your router for use on your LAN)

If you want two interfaces on the same subnet, to forward traffic for that subnet between the two, you cannot use a router.

You must use a bridge.

Since you want to use access lists to control traffic,  it must be a bridge with Layer 2 access list or transparent firewall capabilities

To use a Cisco router for this, an  IOS firewall + Layer 2 inspection + CBAC, also known as "Transparent Firewall", would work.


Certain switches (with the right featuresets) also have Layer 2 ACL capability, in that case, you don't use any routing on the switch, the ISP  2600 goes in one port,  the Sonicwall and DMZ devices go in different ports, and you apply ACLs to L2 ports.

An alternative would be to use one-to-one NAT on your 2600 middleman, so the internal subnets aren't really the same, so your router middleman can actually route.

*When I say 'cisco router' would work, I mean, with the right L2 features, it can work, if you turn off routing, and setup the router to perform bridging instead, subject to your L2 ACLs.

or... use a pix... which is what Mysidia is describing... out of the box.

a PIX is a device that runs IOS that performs stateful packet inspection (FORMERLY called cbac, now known as the IOS Firewall) out of the box. It can be made to do NAT, but is by default a transparent gateway.
Basically you can not route between two interfaces on the same router on the same subnet. You could attempt to brake up the subnets as JFrederick29 had mentioned or do static NAT to a different subnet on the inside of the man in the middle router on the outside of the SonicWall such as I mentioned earlier. Other than that, you would have to do something like a transparent firewall (mode) such as a Pix or ASA. Cisco switches only support inbound access lists on L2 ports. If you are looking to add hardware such as a Pix, you could also use an IPS to block hosts or ports without having to have a L3 interface.
OK... our security guru finally solved this!

His short explanation is:  Use bridging (layer 2), IP routing (layer 3), and stateful packet inspection (CBAC)

The nuts and bolts are:

//Layer 2 Bridging with IP Routing + Stateful Inspection (CBAC) Configuration on Cisco 2621 Series Router

ip inspect name SPIout tcp
ip inspect name SPIout udp
ip inspect name SPIout icmp
ip inspect name SPIout smtp
ip inspect name SPIout ftp
bridge irb
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 no cdp enable
 bridge-group 1
interface FastEthernet0/1
 no ip address
 ip inspect SPIout in
 duplex auto
 speed auto
 no cdp enable
 bridge-group 1
interface BVI1
 ip address xx.xxx.xxx.19
bridge 1 protocol ieee
bridge 1 route ip

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.