cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
384
Views
0
Helpful
3
Replies

Migrating Subnet to New Firewall

EvolutionVI
Level 1
Level 1

Hi All,

I just purchased a new ASA5510 to replace our old firewall. With help from experts in the forum, the device is configured to have an inside, outside and dmz interfaces. Now here's my question, how should/do i subnet my IP block?

My ISP has given me a block of IPs x.x.x.32/27. In my current setup the ISP gateway is x.x.x.33/27, my old firewall gateway is on x.x.x.34/27, two VPN gateways on x.x.x.37 and x.x.x.40/27. My three gateways are running parallel. I have 2 machines setup with one to one nat to provide web services on x.x.x.35/27 and x.x.x.36/27. I have a DMZ setup with x.x.x.55/27 to x.x.x.62/27.

I was thinking having the first x.x.x.32/29 block for the devices running parallel to the new firewall. The second x.x.x.40/29 block for my outside interface (and one to one NATs) and the last block of x.x.x.48/28 for my DMZ interface. Does this sound ok?

If I proceed with the config, what IPs would I assign to the devices running in parallel? For example, if i choose to give the x.x.x.35 ip to my VPN gateway, would I assign it x.x.x.35/27 or x.x.x.35/29 IP?

Thanks for your reply.

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Hi

1) Your addressing scheme is fine. Bear in mind that you could just use a private IP address range for your DMZ and just setup static translations using some of your public IP addresses.

There is nothing wrong with breaking up your /27 subnet into 3 x /29 but you keep losing addresses this way as the network and broadcast addresses are not useable. But if you have enough public addresses then fine.

2) You will need to use the /29 subnet mask otherwise the route lookups could go wrong.

HTH

Jon

Hi Jon,

Thanks for your reply.

Does this look right? Or should I be putting the 3 perimeter devices and the machines with one to one NAT (inside, outside) on the same subnet?

EDIT: the IP for VPN-1 should be 111.111.111.35/29

Any suggestions for the above diagram?

Thanks for your help in advance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: