Reccomended ASA 5510 Setup -without- NAT

Unanswered Question
Oct 2nd, 2007

Currently I have a single Cat5 feed from my ISP and that includes a single IP range, call it 1.1.1.1/24.

Currently i have a crappy watchguard sitting on 1.1.1.2 in transparent/drop in mode and all servers are using the 1.1.1.x range.

Now i want to replace the aging watchguard with a new ASA 5510 that i have, however i have stumbled into a few problems.

I dont want to use the cisco transparent mode. Firstly this only allows you to protect a single IP range and secondly VPN functionality is lacking. In the future I will need to take advantage of multiple IP ranges and several interfaces.

So what is the solution? What is the reccomended setup for those that want their servers to sit on a public IP range?

It has been suggested to me that i get my ISP to route my 1.1.1.1/24 through a smaller subnet like 2.2.2.2/30 which my firewall outside interface will sit on.

It has also been suggested to my that i put 1.1.1.1/24 on my outside interface and something like 192.168.0.1/24 on the inside and then put in nat exemption rules for all the hosts that you dont want to use NAT for.

I also want to move to a HA setup in the future so i want a solution that is going to enable me to grow and expand this setup without rengineering the network every time.

Any suggestions would be much appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 10/02/2007 - 04:14

Hi

If the servers are accessible on their public IP addresses then the easiest thing to do is

1) create a DMZ for the servers. You don't have to, you can put the servers on the inside but if they are accessible from outside it is recommended to use a DMZ.

2) Allocate private addressing to the servers and then setup static NAT translations eg

static (DMZ,outside) 212.17.19.5 192.168.5.5

static (DMZ,outside) 212.17.19.6 192.168.5.6

etc..

This would obviously mean readdressing your servers and although the vast majority of applications will work with NAT some won't.

If you don't want to NAT but still want to protect the servers with your ASA firewall then you will need a separate subnet for the connection between your outside interface and the ISP router.

You would then create a DMZ using the public IP addressing you already have.

Which is more flexible. Well, assuming your public addressing is your ISP's, using private addressing on your servers means if you change your ISP in future you do not have to readdress your servers, you just change the NAT statements on your firewall and update public DNS.

HTH

Jon

dogzillaa Tue, 10/02/2007 - 04:55

1) When you say create a DMZ, what do you mean? I always considered a DMZ to simply be another network segment which is separated from your trusted network for enhanced security? According to all CISCO DMZ examples i have seen all servers still sit on a private IP range and their public IP's are nat'ed. Right now my management network is on a seperate network switch so essentially i only have one network behind my ASA and so a DMZ is irrelevent right?

2) Readdressing is going to be extremely difficult to do so I want to stay away from that if I can.

I suspect the easiest way to achieve what I want to do is to get a seperate subnet for my firewall from my ISP, like 2.2.2.2/30. The only question i have though is can my 1.1.1.1 still route outwards WITHOUT translating to 2.2.2.2? I simply want to use the small 2.2.2.2/30 subnet as a kinda gateway subnet to my main IP range.

Jon Marshall Tue, 10/02/2007 - 05:07

1) Yes a DMZ is another network segment that is connected to a different interface on your firewall than the inside interface. if you don't have any other servers on the inside other than the ones that you are giving outside access to then yes you could argue a DMZ is not relevant but if there are other servers that do not require outside access you should keep them separate.

2) Yes you can still route outwards. You need to

i) Make sure the ISP has a route on their router pointing to your 1.1.1.x network via the outside interface of your pix 2.2.2.x

ii) You can either do no NAT ot just setup static nat translations eg

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

static (inside,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

etc...

or you could just do the whole network eg

static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.240

HTH

Jon

Actions

This Discussion