cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22043
Views
0
Helpful
4
Replies

The IP address, ..., cannot overlap with the subnet of interface ...

Arvo Bowen
Level 1
Level 1

OK well I want my block of IPs (30 IPs) to be used on two different interfaces. That's posible right?

For example I have three vlans total...

"inside" vlan - 10.50.1.x

"outside" vlan - 12.175.10.204

"dmz_ftp" vlan - 12.175.10.206

Note: both the "outside" and "dmz_ftp" vlans/interfaces have a subnet of 255.255.255.224

When I try to use those values the ASDM throws the following error:

"The IP address, ..., cannot overlap with the subnet of interface ..."

So my question is, how do I get passed the error that the ASDM throws at me?

1 Accepted Solution

Accepted Solutions

Do you want the ftp server to be accessible from the internet ?

If so put the ftp server in the dmz and allow access to the inside NAS and also from the internet. You could use a private address for the ftp server in the dmz and do a NAT for the internet as in my previous post.

Jon

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

The problem you have is that you are trying to assign 2 addresses from the same subnet to 2 different interfaces and you can't do that ie.

12.175.10.192 255.255.255.224 is the subnet and both 12.175.10.204 and 12.175.10.206 are both in that subnet.

So you need to use a different subnet for either the outside interface or more likely the dmz interface. You could use a subnet with private IP addressing for the dmz and then use NAT so they can be reached from outside eg.

static (dmz_ftp,outside) 12.175.10.207 192.168.5.10 netmask 255.255.255.255  where 192.168.5.10 is the address assigned to the server in the dmz.

The above is a common setup ie. the dmz servers use private IPs and then you NAT them.

Or you can split up the network ie. 255.255.255.224, you could split it 255.255.255.240 ie.

12.175.10.192 255.255.255.240

12.175.10.208 255.255.255.240

and then use one subnet for the outside and one for the dmz but you will lose some addresses because you have split up the subnet.

By the way, you should post these sort of questions into the firewalling thread in the future to get a quicker response.

Jon

Thanks Jon, I moved it over to the firewalling area.

OK so using the ASDM (that's how I'm configuring it), I can have one interface (int 0) dedicated to the "outside" vlan (Internet), then have two interfaces (int 1 and 2) dedicated to the "inside" vlan (local LAN).  Would that be a good way to go with it?  I want to only allow traffic from the FTP server to get to my NAS server on the local LAN for file sharing purposes.

Do you want the ftp server to be accessible from the internet ?

If so put the ftp server in the dmz and allow access to the inside NAS and also from the internet. You could use a private address for the ftp server in the dmz and do a NAT for the internet as in my previous post.

Jon

Since my last post I came to an understanding about how i needed to set up my interfaces the correct way. 

First off I did NOT need more then 1 interface to use the block of 30 ips.  I assigned the first IP in the block to interface 0/0 and any time I needed something else like my ftp server to be accessed on a different IP I had to do the following...

1) Set the FTP server's IP address to 10.50.5.3 then plug it into the ASA5505 on INTERFACE 0/2

2) Set up Int 0/0 (outside) with first IP in the block of 30 (EX: 12.175.10.204 / 255.255.255.224)

3) Set up Int 0/2 (dmz_ftp) with a subnet of 10.50.5.0/255.255.255.0

4) Set up a STATIC NAT Rule (Configuration->NAT)

     interface: dmz_ftp

     source: 10.50.5.3

     translated (interface): outside

     translated (Use IP address): 12.175.10.206

     Port Address Translation (PAT): ENABLE (checkbox)

     PAT (protocol): TCP

     PAT (orginal port): ftp (port 21)

     PAT (translated port): ftp (port 21)

5) Create an ACL (Security Policy Rule)

     interface: outside

     action: permit

     source: any

     destination: 12.175.10.206

     service: tcp/ftp (port 21)

Review Cisco Networking for a $25 gift card