https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159098#M859665 <HTML><HEAD></HEAD><BODY><P>so when people put the actual public IP on a server in the DMZ, the DMZ is generlaly outside the firewall?</P></BODY></HTML> Tue, 26 May 2009 19:34:28 GMT ryancolson 2009-05-26T19:34:28Z https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159096#M859658 <P>I have seen postings, and heard of cases where people actually assign public IPs to servers sitting in a DMZ behind a firewall. My question is, if you only have one IP block(say a /29), how can you do this? I understand if you either 1-1 NAT or PAT from outside to DMZ, but how can you have an actual public IP on a server behind the DMZ on the ASA, on the same subnet as the outside interface?</P> Mon, 11 Mar 2019 15:36:46 GMT https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159096#M859658 ryancolson 2019-03-11T15:36:46Z https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159097#M859661 <HTML><HEAD></HEAD><BODY><P>Charles </P><P></P><P>"how can you have an actual public IP on a server behind the DMZ on the ASA, on the same subnet as the outside interface?"</P><P></P><P>You can't unless you run the firewall in transparent mode. When people use public IP's in the DMZ they generally have a separate subnet for the DMZ.</P><P></P><P>Note you could split your /29 into 2 /30's but you would only 2 addresses then in each subnet.</P><P></P><P>Jon</P></BODY></HTML> Tue, 26 May 2009 19:27:04 GMT https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159097#M859661 Jon Marshall 2009-05-26T19:27:04Z https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159098#M859665 <HTML><HEAD></HEAD><BODY><P>so when people put the actual public IP on a server in the DMZ, the DMZ is generlaly outside the firewall?</P></BODY></HTML> Tue, 26 May 2009 19:34:28 GMT https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159098#M859665 ryancolson 2009-05-26T19:34:28Z https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159099#M859669 <HTML><HEAD></HEAD><BODY><P>Not necessarily. They might well have a different subnet for the DMZ ie. </P><P></P><P>195.17.17.0 255.255.255.252 could be used for the outside.</P><P></P><P>Your ISP then allocates you another range - </P><P></P><P>195.18.18.0 255.255.255.248</P><P></P><P>so you could then use this subnet for your DMZ. </P><P></P><P>But if your ISP only allocates you </P><P></P><P>195.18.18.0 255.255.255.248 </P><P></P><P>you can't have 195.18.18.x address on both the outside interface and on the DMZ.</P><P></P><P>Jon</P></BODY></HTML> Tue, 26 May 2009 19:37:54 GMT https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159099#M859669 Jon Marshall 2009-05-26T19:37:54Z https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159100#M859672 <HTML><HEAD></HEAD><BODY><P>thats pretty much what i thought. thanks a bunch!</P></BODY></HTML> Tue, 26 May 2009 19:41:32 GMT https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159100#M859672 ryancolson 2009-05-26T19:41:32Z https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159101#M859677 <HTML><HEAD></HEAD><BODY><P>You can have servers in your network with a public IP from your range but they would be patched directly to your outside switch</P></BODY></HTML> Wed, 27 May 2009 08:46:15 GMT https://community.cisco.com/t5/network-security/dmz-public-ip/m-p/1159101#M859677 darkbeatzz 2009-05-27T08:46:15Z