Migrating Subnet to New Firewall

Unanswered Question
Jun 4th, 2007
User Badges:

Hi All,


I just purchased a new ASA5510 to replace our old firewall. With help from experts in the forum, the device is configured to have an inside, outside and dmz interfaces. Now here's my question, how should/do i subnet my IP block?


My ISP has given me a block of IPs x.x.x.32/27. In my current setup the ISP gateway is x.x.x.33/27, my old firewall gateway is on x.x.x.34/27, two VPN gateways on x.x.x.37 and x.x.x.40/27. My three gateways are running parallel. I have 2 machines setup with one to one nat to provide web services on x.x.x.35/27 and x.x.x.36/27. I have a DMZ setup with x.x.x.55/27 to x.x.x.62/27.


I was thinking having the first x.x.x.32/29 block for the devices running parallel to the new firewall. The second x.x.x.40/29 block for my outside interface (and one to one NATs) and the last block of x.x.x.48/28 for my DMZ interface. Does this sound ok?


If I proceed with the config, what IPs would I assign to the devices running in parallel? For example, if i choose to give the x.x.x.35 ip to my VPN gateway, would I assign it x.x.x.35/27 or x.x.x.35/29 IP?


Thanks for your reply.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 06/05/2007 - 00:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


1) Your addressing scheme is fine. Bear in mind that you could just use a private IP address range for your DMZ and just setup static translations using some of your public IP addresses.

There is nothing wrong with breaking up your /27 subnet into 3 x /29 but you keep losing addresses this way as the network and broadcast addresses are not useable. But if you have enough public addresses then fine.


2) You will need to use the /29 subnet mask otherwise the route lookups could go wrong.


HTH


Jon



EvolutionVI Wed, 06/06/2007 - 11:29
User Badges:

Hi Jon,


Thanks for your reply.


Does this look right? Or should I be putting the 3 perimeter devices and the machines with one to one NAT (inside, outside) on the same subnet?


EDIT: the IP for VPN-1 should be 111.111.111.35/29



EvolutionVI Mon, 06/11/2007 - 12:11
User Badges:

Any suggestions for the above diagram?


Thanks for your help in advance.

Actions

This Discussion