Configuring 5 statics IPs

Today I received from Comcast 5 statics IPs as I requested them. I bought a router Cisco and I plan to set up a DMZ for my servers, but Comcast assigned the Default Gateway IP to their modem and now I am not able to create a DMZ and protect the traffic going to my servers.

I asked them to set up a subnet between the modem and my router with privates IP addresses so I would be able to assign the Default Gateway IP to the router's interface that face the DMZ, but they told me that they have to leave the Default Gateway IP address on the modem.

Now I am stock, because I don't know how can create a DMZ and filter the traffic as it passes throughout my router. One of the things that I am trying to avoid is to put the router to do Nat.

I really appreciate any help.
Who is Participating?
Why are you trying to avoid NAT?  It's generally simple to configure.

You could theoretically split your five IPs into two subnets but that would be a leave you without enough IPs to be useful:
- the first IP for the router external i/f, in the same subnet as the default gateway
- the second IP for the broadcast address of the lower half
- the third IP for the subnet address of the upper half
- the fourth IP for the router internal i/f, in the upper half
- the fifth IP for is the only one available for an internal system
As you can see, you end up with only three usable IP addresses.

I think your only choices are to use NAT, lease more IP addresses, or find an ISP that supports IPv6.

The Comcast SMC modem, from what I gather, can, and I think by default does, simply pass through your IPs, i.e, should be in bridge mode (so to speak).

This means if you assign an outward facing wan port one of your statics, then it will be on the net.

So that wan-connected device's firewall can then be configured however you wish, i.e., normally, whether its providing a dmz and a lan, or whathaveyou.

Look at Transparent Firewall for the DMZ leg

The Transparent Cisco IOS Firewall feature allows users to "drop" a Cisco IOS Firewall in front of their existing network without changing the statically defined IP addresses of their network-connected devices. Thus, users can allow selected devices from a subnet to traverse the firewall while access to other devices on the same subnet is denied

 What kind of firewall/router do you have?
midelafeAuthor Commented:
dcj21, I was reading on about the Transparent Cisco IOS Firewall but unfortunately this solution doesn't fit my needs since I can not apply Firewall rules at layer 3  on the ports that Bridged Virtual Interface (BVI) is configured.
This is what you can read in the site: """""Because the Layer 2 firewall intercepts packets at Layer 2 and is "transparent" to the existing network, Layer 3 firewall limitations are not applicable.""""""

Thanks any way for your help, but I am in the same point that I was at the beginning.

klodefactor, I don't want to do NAT because I want each  server to have its own static IP address on the DMZ, and another thing is that I don't want to compromise the router's resources in the NAT process.

Tahnk you all any way, if any other solution arise just let me know.
I normally use NAT in situations like you describe. I don't understand why not to use NAT, it's the standard way it's done.

If you use static NAT each server will have it's own out side IP address.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.