Solved: ASA classless addressing

pbanzato1 · ‎11-14-2008

Does anyone know if the ASA supports classles subnets? I am breaking my public subnet into two and don't want to lose IP's by classfull restrictions

mike.keller · ‎11-14-2008

As long as the ASA is in routed mode (the default), it is not possible to have two interfaces with address overlap (what you are describing with your eth0/0 and 0/3). When you address your outside interface in the first half of the address space and your DMZ in the 2nd half, the ASA will know how to get traffic to both interfaces, as they are connected routes. You will be making this into two /28's, so your address range will be x.x.x.x.193 - 206 and your second range will be x.x.x. 209 - 222. By splitting this up, you must lose 2 more IP addresses (one to the broadcast, one to the network), so in this case, 207 and 208 are gone. This is the easiest way to do this. If you must use a /30 on the "DMZ", then the best you can do is a /28 on the outside, then you can divide up the remaining /28 however you see fit (2 /29's or 4 /30's), just remember, every time you divide it, you lose 2 ip's. The only way you can do what you describe is with a static NAT (which would then allow you to ACL the address however you see fit). This is probably the most common way to accomplish what you are hoping to do. Feel free to check the configuration guides for NAT and the command references, here: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/index.htm

View solution in original post

husycisco · ‎11-14-2008

Pablo,

"I am trying to brake it into two, one for public (Outside) as x.x.x.192 255.255.255.228, which will give me first usable x.x.x.193 and last 218 "

228 is not a valid classless subnetmask. Classless subnetmasks follows as 2,4,8,16,32,64 and so on. You can not divide a 32 hosts of subnet into 1-30,30-32 . You can do 1-16,16-32 or 1-16,16-24,24-32 and so on

View solution in original post

husycisco · ‎11-14-2008

Hello Pablo,

Yes ASA supports classless subnets, but breaking one subnet into two subnets creates more network and broadcast IP addresses (per subnet), thus consumes more IP addresses. I assume you ask for 255.255.255.254 (/31)subnetmask, which is not allowed in ASA yet.

Regards

pbanzato1 · ‎11-14-2008

Thanks for the reply, I see your point and you are correct, but check out what I am trying to do:

My public subnet is x.x.x.192/27

so first usable is x.x.x.193 and last is 222

I am trying to brake it into two, one for public (Outside) as x.x.x.192 255.255.255.228, which will give me first usable x.x.x.193 and last 218

and then a small one for a new interface as x.x.x.220/30 which will give me first usable 221 and last (for the only host) 222

My first example is classless, and I can't IP the interface with that mask.

My goal here is to sit a single host behind the ASA directly connected to eth0/3 and assign the host a public IP and exempt it from NAT, so that I can still protect it with ACL's, but maintain requirements for the deployment (Microsoft OCS Edge Server)

What do you think?

I believe I can still IP my eth0/3 leaving eth0/0 (outside) with the full mask, and then set some routes...

any imput?

mike.keller · ‎11-14-2008

As long as the ASA is in routed mode (the default), it is not possible to have two interfaces with address overlap (what you are describing with your eth0/0 and 0/3). When you address your outside interface in the first half of the address space and your DMZ in the 2nd half, the ASA will know how to get traffic to both interfaces, as they are connected routes. You will be making this into two /28's, so your address range will be x.x.x.x.193 - 206 and your second range will be x.x.x. 209 - 222. By splitting this up, you must lose 2 more IP addresses (one to the broadcast, one to the network), so in this case, 207 and 208 are gone. This is the easiest way to do this. If you must use a /30 on the "DMZ", then the best you can do is a /28 on the outside, then you can divide up the remaining /28 however you see fit (2 /29's or 4 /30's), just remember, every time you divide it, you lose 2 ip's. The only way you can do what you describe is with a static NAT (which would then allow you to ACL the address however you see fit). This is probably the most common way to accomplish what you are hoping to do. Feel free to check the configuration guides for NAT and the command references, here: http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/index.htm

pbanzato1 · ‎11-14-2008

Thanks everyone, all together get's me lined up for plan B.

husycisco · ‎11-14-2008

Pablo,

"I am trying to brake it into two, one for public (Outside) as x.x.x.192 255.255.255.228, which will give me first usable x.x.x.193 and last 218 "

228 is not a valid classless subnetmask. Classless subnetmasks follows as 2,4,8,16,32,64 and so on. You can not divide a 32 hosts of subnet into 1-30,30-32 . You can do 1-16,16-32 or 1-16,16-24,24-32 and so on