Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ host in same subnet as non DMZ hosts.

Status
Not open for further replies.
theeht

theeht

Technical User
Joined
Oct 21, 2002
Messages
2
Location
CA
Hello-

I'd like to know how one might create a secure interface on a router when the host on in the DMZ is in the same subnet as non DMZ hosts.

Since a picture in this case might be worth a thousand words:

host 'C' is the host to be in the DMZ. Further subneting isn't a choice for me. I have tried proxy arp and unnmbered, both not a solution for different reasons.

I was thinking it would be nice to put both ints into a common vlan but still be able to apply access lists to each interface.

look forward to hearing your ideas..

-g
 
Sort by date Sort by votes
Router config? **********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
There is nothing to show at the moment. I've moved host C back into network A and e2 is shutdown. Currently I'm controlling access via access-lists but of course that is not going to protect the other hosts in the same segment should host C be compromised.

As you can see from the diagram the problem is host C shares the same subnet length and network as the others. When host C wishes to establish a connection with the other hosts in the 'A' network it will arp for them as it believes it is in the same collision domain (of course this works the other way around too.). The second issue is how would one number int e2? e1 has an IP of .214 with all the other hosts having it configured as the default gw. I can only spare one more IP from my pool of 5. This is partially why I wanted to place e1 and e2 (if this is do-able) in a vlan and then create a virtual interface between the two, if that doesn't sound too ridiculous. I was thinking this might allow me to apply unique access lists to e1 and e2. Anyway it seems like a bizarre setup to me and I wouldn't be surprised if it isn't possible. Thanks for taking a look at it anyway. The router by the way is connected to a 2924 switch.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
541
DavetheChef
DavetheChef
woza
  • Locked
  • Question Question
GNS3: Delete the lines "transport preferred none"
Replies
1
Views
754
DrB0b
DrB0b
stanlyn
  • Locked
  • Question Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
658
iggsterman
iggsterman
PThomp3344
  • Locked
  • Question Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
693
nt8d09
nt8d09
quazimotto
  • Locked
  • Question Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
320
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top