I have recently inherited a network with around 80 hosts containing mostly web, mail, and database servers. After auditing their ASA 5510, I found a major security issue I want to fix with as little service interruption as possible. The problem is that the ASA is only configured with 2 interfaces:
Outside = 22.214.171.124/29
Inside = 126.96.36.199/24
Both subnets are public address blocks, and the 188.8.131.52/24 subnet is currently assigned to the hosts.
To fix this I would like to introduce at least one DMZ interface to separate the web and mail servers from the database servers. My proposed setup would be:
DMZ = 10.10.10.0/24
Then I would NAT the public IP to DMZ interface to prevent having to change DNS for the sites that the web servers run.
My question is how can I introduce this DMZ with as little server interruption as possible? Could I take one host at a time and change the IP of that host to a 10.10.10.X IP, then issue a NAT command something like this?:
static (dmz,outside) 234.234.234.X 10.10.10.X netmask 255.255.255.255 dns
Keep in mind that the 184.108.40.206/24 subnet is still assigned to the inside interface and there will still be other hosts that are live within that subnet. Will the static (dmz, outside) 234.234.234.X override and route to the DMZ instead of the inside?
Of course in the end, I will have a new subnet on the inside, something like 10.0.0.0/24 and the only interface with a publicly routed subnet will be the outside.
I'm open for any ideas, thanks for your time.