Solved: The IP address, ..., cannot overlap with the subnet of interface

Arvo Bowen · ‎07-19-2011

OK well I want my block of IPs (30 IPs) to be used on two different interfaces. That's posible right?

For example I have three vlans total...

"inside" vlan - 10.50.1.x

"outside" vlan - 12.175.10.204

"dmz_ftp" vlan - 12.175.10.206

Note: both the "outside" and "dmz_ftp" vlans/interfaces have a subnet of 255.255.255.224

When I try to use those values the ASDM throws the following error:

"The IP address, ..., cannot overlap with the subnet of interface ..."

So my question is, how do I get passed the error that the ASDM throws at me?

Jon Marshall · ‎07-19-2011

Do you want the ftp server to be accessible from the internet ?

If so put the ftp server in the dmz and allow access to the inside NAS and also from the internet. You could use a private address for the ftp server in the dmz and do a NAT for the internet as in my previous post.

Jon

View solution in original post

Jon Marshall · ‎07-19-2011

The problem you have is that you are trying to assign 2 addresses from the same subnet to 2 different interfaces and you can't do that ie.

12.175.10.192 255.255.255.224 is the subnet and both 12.175.10.204 and 12.175.10.206 are both in that subnet.

So you need to use a different subnet for either the outside interface or more likely the dmz interface. You could use a subnet with private IP addressing for the dmz and then use NAT so they can be reached from outside eg.

static (dmz_ftp,outside) 12.175.10.207 192.168.5.10 netmask 255.255.255.255 where 192.168.5.10 is the address assigned to the server in the dmz.

The above is a common setup ie. the dmz servers use private IPs and then you NAT them.

Or you can split up the network ie. 255.255.255.224, you could split it 255.255.255.240 ie.

12.175.10.192 255.255.255.240

12.175.10.208 255.255.255.240

and then use one subnet for the outside and one for the dmz but you will lose some addresses because you have split up the subnet.

By the way, you should post these sort of questions into the firewalling thread in the future to get a quicker response.

Jon

Arvo Bowen · ‎07-19-2011

Thanks Jon, I moved it over to the firewalling area.

OK so using the ASDM (that's how I'm configuring it), I can have one interface (int 0) dedicated to the "outside" vlan (Internet), then have two interfaces (int 1 and 2) dedicated to the "inside" vlan (local LAN). Would that be a good way to go with it? I want to only allow traffic from the FTP server to get to my NAS server on the local LAN for file sharing purposes.

Jon Marshall · ‎07-19-2011

Do you want the ftp server to be accessible from the internet ?

If so put the ftp server in the dmz and allow access to the inside NAS and also from the internet. You could use a private address for the ftp server in the dmz and do a NAT for the internet as in my previous post.

Jon

Arvo Bowen · ‎08-11-2011

Since my last post I came to an understanding about how i needed to set up my interfaces the correct way.

First off I did NOT need more then 1 interface to use the block of 30 ips. I assigned the first IP in the block to interface 0/0 and any time I needed something else like my ftp server to be accessed on a different IP I had to do the following...

1) Set the FTP server's IP address to 10.50.5.3 then plug it into the ASA5505 on INTERFACE 0/2

2) Set up Int 0/0 (outside) with first IP in the block of 30 (EX: 12.175.10.204 / 255.255.255.224)

3) Set up Int 0/2 (dmz_ftp) with a subnet of 10.50.5.0/255.255.255.0

4) Set up a STATIC NAT Rule (Configuration->NAT)

interface: dmz_ftp

source: 10.50.5.3

translated (interface): outside

translated (Use IP address): 12.175.10.206

Port Address Translation (PAT): ENABLE (checkbox)

PAT (protocol): TCP

PAT (orginal port): ftp (port 21)

PAT (translated port): ftp (port 21)

5) Create an ACL (Security Policy Rule)

interface: outside

action: permit

source: any

destination: 12.175.10.206

service: tcp/ftp (port 21)