Currently I have a single Cat5 feed from my ISP and that includes a single IP range, call it 220.127.116.11/24.
Currently i have a crappy watchguard sitting on 18.104.22.168 in transparent/drop in mode and all servers are using the 1.1.1.x range.
Now i want to replace the aging watchguard with a new ASA 5510 that i have, however i have stumbled into a few problems.
I dont want to use the cisco transparent mode. Firstly this only allows you to protect a single IP range and secondly VPN functionality is lacking. In the future I will need to take advantage of multiple IP ranges and several interfaces.
So what is the solution? What is the reccomended setup for those that want their servers to sit on a public IP range?
It has been suggested to me that i get my ISP to route my 22.214.171.124/24 through a smaller subnet like 126.96.36.199/30 which my firewall outside interface will sit on.
It has also been suggested to my that i put 188.8.131.52/24 on my outside interface and something like 192.168.0.1/24 on the inside and then put in nat exemption rules for all the hosts that you dont want to use NAT for.
I also want to move to a HA setup in the future so i want a solution that is going to enable me to grow and expand this setup without rengineering the network every time.
Any suggestions would be much appreciated.