Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Configuring 5 statics IPs

Posted on 2011-10-07
Medium Priority
Last Modified: 2012-05-12
Today I received from Comcast 5 statics IPs as I requested them. I bought a router Cisco and I plan to set up a DMZ for my servers, but Comcast assigned the Default Gateway IP to their modem and now I am not able to create a DMZ and protect the traffic going to my servers.

I asked them to set up a subnet between the modem and my router with privates IP addresses so I would be able to assign the Default Gateway IP to the router's interface that face the DMZ, but they told me that they have to leave the Default Gateway IP address on the modem.

Now I am stock, because I don't know how can create a DMZ and filter the traffic as it passes throughout my router. One of the things that I am trying to avoid is to put the router to do Nat.

I really appreciate any help.
Question by:midelafe

Accepted Solution

klodefactor earned 1000 total points
ID: 36934755
Why are you trying to avoid NAT?  It's generally simple to configure.

You could theoretically split your five IPs into two subnets but that would be a leave you without enough IPs to be useful:
- the first IP for the router external i/f, in the same subnet as the default gateway
- the second IP for the broadcast address of the lower half
- the third IP for the subnet address of the upper half
- the fourth IP for the router internal i/f, in the upper half
- the fifth IP for is the only one available for an internal system
As you can see, you end up with only three usable IP addresses.

I think your only choices are to use NAT, lease more IP addresses, or find an ISP that supports IPv6.


Expert Comment

ID: 36934896
The Comcast SMC modem, from what I gather, can, and I think by default does, simply pass through your IPs, i.e, should be in bridge mode (so to speak).

This means if you assign an outward facing wan port one of your statics, then it will be on the net.

So that wan-connected device's firewall can then be configured however you wish, i.e., normally, whether its providing a dmz and a lan, or whathaveyou.


Expert Comment

ID: 36936308
Look at Transparent Firewall for the DMZ leg

The Transparent Cisco IOS Firewall feature allows users to "drop" a Cisco IOS Firewall in front of their existing network without changing the statically defined IP addresses of their network-connected devices. Thus, users can allow selected devices from a subnet to traverse the firewall while access to other devices on the same subnet is denied

 What kind of firewall/router do you have?

Author Comment

ID: 36937608
dcj21, I was reading on www.cisco.com about the Transparent Cisco IOS Firewall but unfortunately this solution doesn't fit my needs since I can not apply Firewall rules at layer 3  on the ports that Bridged Virtual Interface (BVI) is configured.
This is what you can read in the site: """""Because the Layer 2 firewall intercepts packets at Layer 2 and is "transparent" to the existing network, Layer 3 firewall limitations are not applicable.""""""

Thanks any way for your help, but I am in the same point that I was at the beginning.

klodefactor, I don't want to do NAT because I want each  server to have its own static IP address on the DMZ, and another thing is that I don't want to compromise the router's resources in the NAT process.

Tahnk you all any way, if any other solution arise just let me know.

Assisted Solution

dcj21 earned 1000 total points
ID: 36937748
I normally use NAT in situations like you describe. I don't understand why not to use NAT, it's the standard way it's done.

If you use static NAT each server will have it's own out side IP address.


Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question