ASA & ISP address space query

Answered Question
Jan 6th, 2008
User Badges:
  • Gold, 750 points or more

Hi all,


May be a dumb question.One of my client planning on creating RDP access to few servers sitting on 'Inside' of ASA5510. Client requested ISP /24 pulic address space and was provided with 1.1.1.0/24 (ips changed). Also,ISP provided client with ASA ouside i/f IP: 2.2.2.2/30 and Default gateway for ASA (ISPs modem) as 2.2.2.1/30.


So what is the best way to use the ISP assigned public IPs to provide RDP access to servers inside..? Can I assign 1.1.1.1/24 to ASA inside and can create 'NO NAT' to access internet and also RDP.


Or I was originally thinking about having NAT with pvt ip scheme internally (was not aware of public ip space requested). So is there any way using same pvt ip space and assigned /24 ip addresses to create Internet/RDP access?

Any help with config links is appreciated.


Thanks inadvance

MS

Correct Answer by JORGE RODRIGUEZ about 9 years 6 months ago


"I was originally thinking about having NAT with pvt ip scheme internally (was not aware of public ip space requested).So is there any way using same pvt ip space and assigned/24 ip addresses to create Internet/RDP

access? "



Upsolutely possible and best to do it as you have thought it out.



If I understand correctly: please correct me otherwise !


1-You have ASA5510, outside interface with Public IP 2.2.2.2/30

2-ISP router with IP 2.2.2.1/30

3-ISP gives client 254 public IP addresses for client use on different range as 1.1.1.0/24


You may well do the following if you do not have inside interface IP configured.


1- ASA5510 inside can be any ip subnet from any of the private reserved ranges.For your inside interface you could use any of the bellow private ranges.


i-10.0.0.0 through 10.255.255.255

ii-172.16.0.0 through 172.31.255.255

iii-192.168.0.0 through 192.168.255.255


assume you have for inside interface 172.16.1.1/24

so you have :

ASA5510 outside interface IP: 2.2.2.2/30

ASA5510 inside interface IP : 172.16.1.1/24


for your new ISP privided public IP range simply create in ASA5510 your one-to-one NAT

translations using the new IP addresses from ISP. Note that ISP must route the new Public IP address space back to your ASA5510 outside interface, Im sure they know that.


As said, simply create your static nat using new public IP address, you may also create

global nat pools if needed.


e.g RDP access from outside using public IP 1.1.1.100 NATed to 172.16.1.50 PC inside host


static (inside,oustide) 1.1.1.100 172.16.1.50 netmask 255.255.255.0 0 0

access-list outside_access_in permit tcp any host 1.1.1.100 eq 3389

access-group outside_access_in in interface outside


e.g for creating additional global pools using new IP range PAT.


global (outside) 2 1.1.1.50-1.1.1.74

global (oustide) 2 1.1.1.75


Rgds

Jorge


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Sun, 01/06/2008 - 12:21
User Badges:
  • Green, 3000 points or more


"I was originally thinking about having NAT with pvt ip scheme internally (was not aware of public ip space requested).So is there any way using same pvt ip space and assigned/24 ip addresses to create Internet/RDP

access? "



Upsolutely possible and best to do it as you have thought it out.



If I understand correctly: please correct me otherwise !


1-You have ASA5510, outside interface with Public IP 2.2.2.2/30

2-ISP router with IP 2.2.2.1/30

3-ISP gives client 254 public IP addresses for client use on different range as 1.1.1.0/24


You may well do the following if you do not have inside interface IP configured.


1- ASA5510 inside can be any ip subnet from any of the private reserved ranges.For your inside interface you could use any of the bellow private ranges.


i-10.0.0.0 through 10.255.255.255

ii-172.16.0.0 through 172.31.255.255

iii-192.168.0.0 through 192.168.255.255


assume you have for inside interface 172.16.1.1/24

so you have :

ASA5510 outside interface IP: 2.2.2.2/30

ASA5510 inside interface IP : 172.16.1.1/24


for your new ISP privided public IP range simply create in ASA5510 your one-to-one NAT

translations using the new IP addresses from ISP. Note that ISP must route the new Public IP address space back to your ASA5510 outside interface, Im sure they know that.


As said, simply create your static nat using new public IP address, you may also create

global nat pools if needed.


e.g RDP access from outside using public IP 1.1.1.100 NATed to 172.16.1.50 PC inside host


static (inside,oustide) 1.1.1.100 172.16.1.50 netmask 255.255.255.0 0 0

access-list outside_access_in permit tcp any host 1.1.1.100 eq 3389

access-group outside_access_in in interface outside


e.g for creating additional global pools using new IP range PAT.


global (outside) 2 1.1.1.50-1.1.1.74

global (oustide) 2 1.1.1.75


Rgds

Jorge


mvsheik123 Sun, 01/06/2008 - 15:57
User Badges:
  • Gold, 750 points or more

Hi Jorge,


You have 100% perfectly got my question and provided me with perfect and very helpful idea. Thanks alot.


MS

JORGE RODRIGUEZ Sun, 01/06/2008 - 17:57
User Badges:
  • Green, 3000 points or more

Mehboob, you're welcome and thank you for the rating.. Im sure all will be good at your end, and netpro/forum will always be here to assist.


Rgds

Jorge

Actions

This Discussion