Is it possible to bridge our external network to an internal interface?

Unanswered Question
Nov 22nd, 2007
User Badges:

We are planning on buying one of Ciscos appliance solutions (the ASA 55xx series) and would like to know if it's possible to bridge our RIPE assigned external IP-range to be used on an internal interface?

Our business demands that we can continue to use the same server IP's as we have today (they are hardcoded in some of our industrial applications) behind the ASA.

If this is possible, do you have any suggestions on where to look to find examples for setting this up (we have searched, but found nothing).

Best regards,


Digital Information AB


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
owillins Wed, 11/28/2007 - 06:59
User Badges:
  • Silver, 250 points or more

You can achive your goal through NAT . Reasons are the security appliance uses proxy ARP to answer any requests for mapped addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing, because the security appliance does not have to be the gateway for any additional networks.

diginfo07 Wed, 11/28/2007 - 07:06
User Badges:

But if I do not wish to use NAT? I would just like to subnet our network into 4 subnets and use each subnet on one of the interfaces. Then I can assign different security levels and traffic policies to each subnet, without having to use NAT. Or?

Best regards,


hobbe Thu, 11/29/2007 - 04:02
User Badges:
  • Gold, 750 points or more

Yes but No and what do you realy want to do with it. The answer to this question commands what you can do with the firewall.

Ie do you want to be able to terminate VPN ?

If yes then forget about Stealth mode wich is used for bridging and so on.

But yes of course you can pass the firewall without using NAT (or rather Nating the addresses to themselves. However I would recomend against using it that way.

You actually loose great functionality. And you will loose a little bit more than 1/4th of your outside network.

imho its better to change the licensekey ip to a RFC 1918 address.




This Discussion