I have a site where an ISP installed ethernet over copper and they have provided a WAN address w /30 mask (e.g. X.X.X.2/32) and 8 public LAN addresses (e.g. Y.Y.Y.1/28). There is an ASA5505 installed with the outside interface currently using the WAN pt-2-pt address (X.X.X.2/32).
We have run into limitations using PAT with the outside interface and now need to use the additional public LAN addresses provided by the ISP for public facing servers.
The firewall has an inside interface 10.1.10.0/24
There will be a DMZ 172.16.0.0/24 (Static translations will be from 172.16.0.0 to the public LAN addresses (Y.Y.Y.1/28)
There is an outside interface (currently using the WAN address X.X.X.2/32)
Is there a way the ASA5505 can accomplish this without a front-end router (e.g. using subinterfaces on the outside e0/0 interface for both the X.X.X.2/32 and the Y.Y.Y.1/28 network) or do I need to get a router to put infront of the firewall to handle the routing between the two public networks?
If I am understanding your explanation you are currently doing translation with overload on the outside address. And now you want to use the additional set of addresses provided by the ISP for public facing servers. The ASA can certainly do this and it does not require any additional router.
What you want to do is to configure a set of static translations to assign various addresses in the y.y.y block to various servers in the 172.16.0 DMZ. It might look something like this:
static (DMZ,outside) y.y.y.1 172.16.0.n netmask 255.255.255.255
I have configured translations like this and they work well. They use the second address block effectively even though the second address block does not appear on any interface. One thing to understand about this is that when the static translation is configured like this then the ASA will respond to ARP requests or forward packets to these addresses even when they are not assigned on an interface.
You don't need a front end router. As long as the ISP is routing the /28 network to the outside of your ASA, and they should be, then all you need to do is add static statements on your ASA device, plus allow access with acl's obviously.
static (dmz,outside) y.y.y.1 172.16.0.10 netmask 255.255.255.255
will allow clients on the internet to access y.y.y.1 and this will be directed to the dmz server 172.16.0.10.