Solved: Setting up a DMZ on an ASA with a unique external IP, question.....

btramer29 · ‎05-29-2017

I have an ASA 5506 which currently has an outside interface configured with one of our external IP's, let's just call it: 192.168.0.10/24

I want to configure another interface for our DMZ, using another one of our external IP's, say: 192.168.0.11/24

Well, I'm getting an error about overlap, so I'm assuming something I'm doing is fundamentally wrong (which is fine I'm new to this).

Can someone explain how you would normally configure this, that is to have the "outside" interface and "DMZ" interface both have their own unique external IP's (from the same block)?

Philip D'Ath · ‎05-29-2017

You can't use the same subnet on different interfaces. If you want public IP address space in your DMZ, then you'll need to ask your ISP for an extra block and to route that via the IP address you have assigned to your ASA.

Otherwise you'll need to use a private IP address block on your DMZ and to NAT through to those IP addresses.

View solution in original post

Philip D'Ath · ‎05-29-2017

You can't use the same subnet on different interfaces. If you want public IP address space in your DMZ, then you'll need to ask your ISP for an extra block and to route that via the IP address you have assigned to your ASA.

Otherwise you'll need to use a private IP address block on your DMZ and to NAT through to those IP addresses.

btramer29 · ‎05-29-2017

Ok thanks, that's exactly what I needed to know (and makes sense now that I think about it).

Richard Bradfield · ‎05-29-2017

I dont quite understand what you are doing, if you have a public address range as you say call it

192.168.0.0/24, then say inside is 10.0.0.0/24 and DMZ is 172.16.0.0/24, then you can nat devices on both networks to the public address space