Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Ethernet configuration changes for DMZ - urgent 1

Status
Not open for further replies.
pjchooch

pjchooch

Technical User
Feb 8, 2002
1
US
I am in the process of adding a DMZ to our firewall. We own a classC, and have split it in half for untrusted (x.y.z.1-128) and dmz(x.y.z.129-255). My router (cisco 4500) is at x.y.z.1.

I was told by the Firewall guy (outside vendor) that I need to change the subnet mask on the router to 255.255.255.128 (to match the firewall), and to add a new route for the DMZ (x.y.z.128 255.255.255.128 x.y.z.3) (the .3 is the untrusted address of the firewall).

Ho do I do this? I'm accessing the router vie terminal connection. I have figured out this much:
Router> enable
Router# save running-config startup-config
Router# configure
Router(config)#

I assume I change the subnet mask with:
Router(config)# ip address x.y.z.1 255.255.255.128

But how do I add a new route and specify the default gateway?

Any help would be most appreciated.
Paul
 
Sort by date Sort by votes
Adding a default route is called adding a "gateway of last resort". To do this you enter the following command:

Router(config)#ip route 0.0.0.0 0.0.0.0 x.x.x.x
(where x.x.x.x is the ip address of the next hop, which is the next router that you want to send the packet to)

Adding a new static route is done as follows:

Router(config)# ip route x.x.x.x y.y.y.y z.z.z.z

where x.x.x.x is the network that you want to reach
y.y.y.y is the subnet mask of the remote network
z.z.z.z is the ip address of the router that you want to send the packet to.

Hope this helps,

Greg
 
Upvote 0 Downvote
You may also want to investigate using NAT (network address translation) in the router connecting your network to the Internet. This will allow you to use a class A or B private addressing scheme inside your network (also called a stub domain) which will be translated to globally routable addresses when they connect to the Internet.

Depending on how many hosts you need in your DMZ, you can use a few of the globally routable addresses that you got from your ISP for those hosts, and use just a couple more in your NAT pool, using port overloading.

To find out more about this go to and search on NAT. There is also a very good white paper on NAT at if you go there and search on NAT.

Hope this helps,

Greg
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
271
jarod_paris
jarod_paris
Jose V
  • Locked
  • Question
Bulk changes - CISCO
Replies
1
Views
142
whykap
whykap
telepath
  • Locked
  • Question
Unexpected STP Topology Changes
Replies
0
Views
135
telepath
telepath
MoJHK
  • Locked
  • Question
Metro Ethernet trouble shootin
Replies
0
Views
141
MoJHK
MoJHK
disk-us
  • Locked
  • Question
RTU licensing for a901
Replies
0
Views
129
disk-us
disk-us

Part and Inventory Search

Sponsor

Back
Top