ASA5510 DMZ Configuration

Answered Question
May 23rd, 2007

Hi all,

I've just purchased an ASA5510 w/IPS to replace my current firewall box. My ISP has given me a block of 30 IPs xx.xx.xx.yy/27. I've created 2 interfaces for LAN IP: 192.168.xx.yy and WAN: xx.xx.xx.yy (using one of the IPs from my block). PAT is used between the LAN and WAN interfaces and routing has been setup. The LAN can access the internet.

I want to now configure a DMZ interface that uses my public IP block without NATing... is this possible? When I try to add the DMZ interface with one of the IPs in my IP block i get the message "The IP Address xx.xx.xx.yy/27 cannot overlap with the subnet of the interface WAN." any ideas? ultimately, i would like to use the public IPs in the DMZ and have both the WAN and LAN to be able to access the servers in the DMZ.

I've read some guides on DMZ but they all use private addresses in the DMZ to NAT to the public IPs. I don't want to go down this route if possible b/c there would be a number of changes required on our servers.

Thanks for your help in advance.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 6 months ago

You aren't allowing echo-reply in your outside acl like you are in your dmz acl.

access-list outside_access_in extended permit icmp any 196.65.65.16 255.255.255.240 echo

access-list dmz_access_in extended permit icmp any 10.10.10.254 255.255.255.0 echo-reply

Correct Answer by jean.l.pierre about 9 years 6 months ago

Hi!

The solution is to subnet (split in half) your 27 bits subnet. Then, if you want your DMZ physical machines with public IPs, use tha NAT0 feature so they don't get natted. You can't have IPs belonging to the same subnets in diferent interfaces (= network overlapping).

Example:

ISP global subnet - 196.65.65.0/27

Outside subnet - 196.65.65.0/28

DMZ subnet - 196.65.65.16/28

!

ip address inside 10.10.10.254 255.255.255.0

ip adress outside 196.65.65.14 255.255.255.240

ip address dmz 196.65.65.30 255.255.255.240

!

nat (dmz) 0 196.65.65.16 255.255.255.240

nat (inside) 0 acl_nonat

!

access-list acl_nonat permit ip 10.10.10.0 255.255.255.0 196.65.65.16 255.255.255.240

!

Best regards,

JP

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Wed, 05/23/2007 - 08:50

The easiest thing to do would be to get a /30 for your outside interface, then use your whole /27 for your dmz.

EvolutionVI Wed, 05/23/2007 - 09:00

Hi acomiskey,

Thank you for your reply.

So there is no other way to setup the both interfaces with the same block?

My ISP's response time and customer service are not the greatest. so if possible i would ilke to configure teh box with what i have.

Thanks again for your reply.

EvolutionVI Fri, 05/25/2007 - 06:46

Would PAT work with transparent mode? I still need addresses to be translated for my internal workstations (300+) as I only have 30 or so real IPs. I have about 10 servers which are accessible by the public and I would like to put these in the DMZ.

Correct Answer
jean.l.pierre Fri, 05/25/2007 - 07:53

Hi!

The solution is to subnet (split in half) your 27 bits subnet. Then, if you want your DMZ physical machines with public IPs, use tha NAT0 feature so they don't get natted. You can't have IPs belonging to the same subnets in diferent interfaces (= network overlapping).

Example:

ISP global subnet - 196.65.65.0/27

Outside subnet - 196.65.65.0/28

DMZ subnet - 196.65.65.16/28

!

ip address inside 10.10.10.254 255.255.255.0

ip adress outside 196.65.65.14 255.255.255.240

ip address dmz 196.65.65.30 255.255.255.240

!

nat (dmz) 0 196.65.65.16 255.255.255.240

nat (inside) 0 acl_nonat

!

access-list acl_nonat permit ip 10.10.10.0 255.255.255.0 196.65.65.16 255.255.255.240

!

Best regards,

JP

EvolutionVI Mon, 05/28/2007 - 08:00

Hi JP!

Thanks for your reply. I've applied your suggestion to my environment, I'm having a problem with traffic DMZ>WAN and WAN>DMZ. Here's my config...

ip inside: 10.10.10.254 255.255.255.0

ip outside: 196.65.65.14 255.255.255.240

ip dmz: 196.65.65.30 255.255.255.240

access-list dmz_nat0_outbound extended permit ip 196.65.65.16 255.255.255.240 any

access-list outside_access_in extended permit icmp any 198.65.65.16 255.255.255.240

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

route outside 0.0.0.0 0.0.0.0 198.65.65.1 (the ISP's Gateway)

the machines on the inside can access the internet and dmz... the machines in the dmz cannot access internet and the internet cannot ping the machines in the dmz... i've tried to add another default route for the dmz interface but it wont allow me, saying the route for that ip (0.0.0.0/0) exists already...

also one more question for the machines in the dmz.. before when i had the original subnet the ip settings were 196.65.65.18 255.255.255.224, gateway 196.65.65.1 (isp gateway)... now that i've split up the subnet i've changed the ip on the machine to ip: 196.65.65.18 255.255.255.240, should the gateway 196.65.65.1 (isp gateway) or 196.65.65.30 (asa dmz interface)?

Thanks for your help in advance

jean.l.pierre Mon, 05/28/2007 - 14:24

Hi!

I think both WAN->DMZ and DMZ->WAN are related issues.

The ACL outside_access_in mentions network 198.65.65.16/28 but it should be 196.65.65.16/28?! Was it just a typing error or a misconfiguration? Also the ISP gateway should be 196.65.65.1 and not 198.65.65.1/28?!

The gateway for your DMZ machine (196.65.65.18/28) should be the directly connected interface/IP subnet gateway, meaning 196.65.65.30/28.

Regards,

JP

EvolutionVI Tue, 05/29/2007 - 06:18

Hi JP!

Thanks for your reply. Yes, the 196 and 198 were typos in this post... i was looking at the management screen and mistyped on the computer i was posting on... my appologies.

inside ip: 10.10.10.254 255.255.255.0

outside ip: 196.65.65.14 255.255.255.240

dmz ip: 196.65.65.30 255.255.255.240

access-list outside_access_in extended permit tcp any host 196.65.65.18 eq 3389

access-list outside_access_in extended permit icmp any 196.65.65.16 255.255.255.240 echo

access-list dmz_access_in extended permit icmp any 10.10.10.254 255.255.255.0 echo-reply

access-list dmz_access_in extended deny ip any 10.10.10.254 255.255.255.0

access-list dmz_access_in extended permit ip any any

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 10.10.10.254 255.255.255.0

static (dmz,outside) 196.65.65.18 196.65.65.18 netmask 255.255.255.240

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 196.65.65.1 1

* 196.65.65.1 is ISP gateway...

I added in a static (dmz,outside) NAT for 196.65.65.18 to 196.65.65.18 for my machine in the DMZ and that seemed to work... i can get traffic from DMZ->WAN and WAN->DMZ...

thanks alot for your help and suggestions... greatly appriciated. i am somewhat function now...

one last question... from the inside i cant seem to recieve echo-replies (eg: from www.google.ca), but from the machine in the DMZ i can... any ideas?

Correct Answer
acomiskey Tue, 05/29/2007 - 06:25

You aren't allowing echo-reply in your outside acl like you are in your dmz acl.

access-list outside_access_in extended permit icmp any 196.65.65.16 255.255.255.240 echo

access-list dmz_access_in extended permit icmp any 10.10.10.254 255.255.255.0 echo-reply

EvolutionVI Tue, 05/29/2007 - 06:41

Hi acomiskey,

Thanks! now it is working!

but how come i have to specify the outside ip rather than the inside subnet?

access-list outside_access_in extended permit icmp any 10.10.10.0 255.255.255.0 echo-reply

above doesnt work... but the following works?

access-list outside_access_in extended permit icmp any interface outside echo-reply

acomiskey Tue, 05/29/2007 - 06:45

When you the address associated with where the acl is applied. If it's applied to the outside interface then you use the outside address as this is where the replies are destined. The acl is checked before the translation takes place.

Actions

This Discussion