Depending on the IP's you are using today, you may not have to re-IP at all. You can further split out the external subnet so it is as low as a /30. The example I gave above is very simple, but here is a more creative way: external: 64.1.1.0/30 (use addresses .1 and .2 for the transit link) dmz: 64.1.1.0/24 (you can use any address within the range of .5 - .254 for servers and the interface) internal: 192.168.1.0/24 The reason this works is because standard IP routing will always use the more specific route in the routing table, so it's possible to overlap your subnets like this. I tried configuring this on a PAN box and the config passed validation, though I have not tried committing it. I believe it will work. If not, then you could further break down the subnets until you get what you need. You can get more creative with the subnetting, too, for example if the ISP's next hop is .254 instead of .1 or .2. then do the same thing - just put two small subnets on the external address (.0/30 and .252/30) and leave the /24 on the dmz. There's nothing wrong with configuring NAT in this situation, but you may not need to do that to accomplish your goal. Cheers, Kelly
... View more