cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
319
Views
0
Helpful
3
Replies

ASA & ISP address space query

mvsheik123
Level 7
Level 7

Hi all,

May be a dumb question.One of my client planning on creating RDP access to few servers sitting on 'Inside' of ASA5510. Client requested ISP /24 pulic address space and was provided with 1.1.1.0/24 (ips changed). Also,ISP provided client with ASA ouside i/f IP: 2.2.2.2/30 and Default gateway for ASA (ISPs modem) as 2.2.2.1/30.

So what is the best way to use the ISP assigned public IPs to provide RDP access to servers inside..? Can I assign 1.1.1.1/24 to ASA inside and can create 'NO NAT' to access internet and also RDP.

Or I was originally thinking about having NAT with pvt ip scheme internally (was not aware of public ip space requested). So is there any way using same pvt ip space and assigned /24 ip addresses to create Internet/RDP access?

Any help with config links is appreciated.

Thanks inadvance

MS

1 Accepted Solution

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

"I was originally thinking about having NAT with pvt ip scheme internally (was not aware of public ip space requested).So is there any way using same pvt ip space and assigned/24 ip addresses to create Internet/RDP

access? "

Upsolutely possible and best to do it as you have thought it out.

If I understand correctly: please correct me otherwise !

1-You have ASA5510, outside interface with Public IP 2.2.2.2/30

2-ISP router with IP 2.2.2.1/30

3-ISP gives client 254 public IP addresses for client use on different range as 1.1.1.0/24

You may well do the following if you do not have inside interface IP configured.

1- ASA5510 inside can be any ip subnet from any of the private reserved ranges.For your inside interface you could use any of the bellow private ranges.

i-10.0.0.0 through 10.255.255.255

ii-172.16.0.0 through 172.31.255.255

iii-192.168.0.0 through 192.168.255.255

assume you have for inside interface 172.16.1.1/24

so you have :

ASA5510 outside interface IP: 2.2.2.2/30

ASA5510 inside interface IP : 172.16.1.1/24

for your new ISP privided public IP range simply create in ASA5510 your one-to-one NAT

translations using the new IP addresses from ISP. Note that ISP must route the new Public IP address space back to your ASA5510 outside interface, Im sure they know that.

As said, simply create your static nat using new public IP address, you may also create

global nat pools if needed.

e.g RDP access from outside using public IP 1.1.1.100 NATed to 172.16.1.50 PC inside host

static (inside,oustide) 1.1.1.100 172.16.1.50 netmask 255.255.255.0 0 0

access-list outside_access_in permit tcp any host 1.1.1.100 eq 3389

access-group outside_access_in in interface outside

e.g for creating additional global pools using new IP range PAT.

global (outside) 2 1.1.1.50-1.1.1.74

global (oustide) 2 1.1.1.75

Rgds

Jorge

Jorge Rodriguez

View solution in original post

3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

"I was originally thinking about having NAT with pvt ip scheme internally (was not aware of public ip space requested).So is there any way using same pvt ip space and assigned/24 ip addresses to create Internet/RDP

access? "

Upsolutely possible and best to do it as you have thought it out.

If I understand correctly: please correct me otherwise !

1-You have ASA5510, outside interface with Public IP 2.2.2.2/30

2-ISP router with IP 2.2.2.1/30

3-ISP gives client 254 public IP addresses for client use on different range as 1.1.1.0/24

You may well do the following if you do not have inside interface IP configured.

1- ASA5510 inside can be any ip subnet from any of the private reserved ranges.For your inside interface you could use any of the bellow private ranges.

i-10.0.0.0 through 10.255.255.255

ii-172.16.0.0 through 172.31.255.255

iii-192.168.0.0 through 192.168.255.255

assume you have for inside interface 172.16.1.1/24

so you have :

ASA5510 outside interface IP: 2.2.2.2/30

ASA5510 inside interface IP : 172.16.1.1/24

for your new ISP privided public IP range simply create in ASA5510 your one-to-one NAT

translations using the new IP addresses from ISP. Note that ISP must route the new Public IP address space back to your ASA5510 outside interface, Im sure they know that.

As said, simply create your static nat using new public IP address, you may also create

global nat pools if needed.

e.g RDP access from outside using public IP 1.1.1.100 NATed to 172.16.1.50 PC inside host

static (inside,oustide) 1.1.1.100 172.16.1.50 netmask 255.255.255.0 0 0

access-list outside_access_in permit tcp any host 1.1.1.100 eq 3389

access-group outside_access_in in interface outside

e.g for creating additional global pools using new IP range PAT.

global (outside) 2 1.1.1.50-1.1.1.74

global (oustide) 2 1.1.1.75

Rgds

Jorge

Jorge Rodriguez

Hi Jorge,

You have 100% perfectly got my question and provided me with perfect and very helpful idea. Thanks alot.

MS

Mehboob, you're welcome and thank you for the rating.. Im sure all will be good at your end, and netpro/forum will always be here to assist.

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: