I've just purchased an ASA5510 w/IPS to replace my current firewall box. My ISP has given me a block of 30 IPs xx.xx.xx.yy/27. I've created 2 interfaces for LAN IP: 192.168.xx.yy and WAN: xx.xx.xx.yy (using one of the IPs from my block). PAT is used between the LAN and WAN interfaces and routing has been setup. The LAN can access the internet.
I want to now configure a DMZ interface that uses my public IP block without NATing... is this possible? When I try to add the DMZ interface with one of the IPs in my IP block i get the message "The IP Address xx.xx.xx.yy/27 cannot overlap with the subnet of the interface WAN." any ideas? ultimately, i would like to use the public IPs in the DMZ and have both the WAN and LAN to be able to access the servers in the DMZ.
I've read some guides on DMZ but they all use private addresses in the DMZ to NAT to the public IPs. I don't want to go down this route if possible b/c there would be a number of changes required on our servers.
Thanks for your help in advance.
You aren't allowing echo-reply in your outside acl like you are in your dmz acl.
access-list outside_access_in extended permit icmp any 22.214.171.124 255.255.255.240 echo
access-list dmz_access_in extended permit icmp any 10.10.10.254 255.255.255.0 echo-reply
The solution is to subnet (split in half) your 27 bits subnet. Then, if you want your DMZ physical machines with public IPs, use tha NAT0 feature so they don't get natted. You can't have IPs belonging to the same subnets in diferent interfaces (= network overlapping).
ISP global subnet - 126.96.36.199/27
Outside subnet - 188.8.131.52/28
DMZ subnet - 184.108.40.206/28
ip address inside 10.10.10.254 255.255.255.0
ip adress outside 220.127.116.11 255.255.255.240
ip address dmz 18.104.22.168 255.255.255.240
nat (dmz) 0 22.214.171.124 255.255.255.240
nat (inside) 0 acl_nonat
access-list acl_nonat permit ip 10.10.10.0 255.255.255.0 126.96.36.199 255.255.255.240