I am currently configuring a 5510 ASA to replace an aging Sonicwall. As part of this process, I am setting up a DMZ. Right now I am configuring Interface 0 pointing to external, Interface 1 pointing to the DMZ, and Interface 2 pointing to internal.
Interfaces 0 and 2 are working without problem, however when attempting to configure Interface 1 to point to the DMZ switch, I receive an error about overlapping subnets.
Now, I am aware of the probable cause of this. When the admin previous to me purchased the 5510, they did NOT purchase the Security Plus license. In the long term, my organization will be purchasing this license and we will be able to configure the ASA directly with more options.
However, as I am conducting a server move project tonight I will need an interim solution. My plan is to do the following:
1. Hook up the ASA with Interface 0 going directly to the 2851 and Interface 2 going to our internal network.
2. Hook up the 2851 with one interface going to the ASA and one going to the DMZ switch.
Will I need to use ip subnet-zero to avoid the overlapping subnets error on the 2851?
How will NAT/PAT need to be configured in this case?
ip subnet zero has nothing to do with overlapping subnets the only way you could use same subnet on 2 interfaces is by bridging the traffic or using ip unnumbered. I'll give a try for the second solution in my lab tomorrow.
If I understand correctly, you are using a private adress range in your DMZ and your DMZ is connected to your external router (the 2851). If this is the case you will need to do some NAT on the external router.
I'm nto sure how you would host 2 DMZs with a shared subnet over multiple physical interfaces and still maintain your traffic inspection requirements. If you can, subnet the shared network to create 2 unique subnets for the DMZ and internal systems.