Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
797
Views
0
Helpful
3
Replies

ASA WAN/30 LAN/28 from ISP

Go to solution
bennettg
Level 1
Level 1

‎06-03-2009 11:41 AM - edited ‎03-11-2019 08:39 AM

I have a site where an ISP installed ethernet over copper and they have provided a WAN address w /30 mask (e.g. X.X.X.2/32) and 8 public LAN addresses (e.g. Y.Y.Y.1/28). There is an ASA5505 installed with the outside interface currently using the WAN pt-2-pt address (X.X.X.2/32).

We have run into limitations using PAT with the outside interface and now need to use the additional public LAN addresses provided by the ISP for public facing servers.

The firewall has an inside interface 10.1.10.0/24

There will be a DMZ 172.16.0.0/24 (Static translations will be from 172.16.0.0 to the public LAN addresses (Y.Y.Y.1/28)

There is an outside interface (currently using the WAN address X.X.X.2/32)

Is there a way the ASA5505 can accomplish this without a front-end router (e.g. using subinterfaces on the outside e0/0 interface for both the X.X.X.2/32 and the Y.Y.Y.1/28 network) or do I need to get a router to put infront of the firewall to handle the routing between the two public networks?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-03-2009 11:58 AM

Gary

You don't need a front end router. As long as the ISP is routing the /28 network to the outside of your ASA, and they should be, then all you need to do is add static statements on your ASA device, plus allow access with acl's obviously.

So

static (dmz,outside) y.y.y.1 172.16.0.10 netmask 255.255.255.255

will allow clients on the internet to access y.y.y.1 and this will be directed to the dmz server 172.16.0.10.

Jon

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-03-2009 11:59 AM

Gary

If I am understanding your explanation you are currently doing translation with overload on the outside address. And now you want to use the additional set of addresses provided by the ISP for public facing servers. The ASA can certainly do this and it does not require any additional router.

What you want to do is to configure a set of static translations to assign various addresses in the y.y.y block to various servers in the 172.16.0 DMZ. It might look something like this:

static (DMZ,outside) y.y.y.1 172.16.0.n netmask 255.255.255.255

I have configured translations like this and they work well. They use the second address block effectively even though the second address block does not appear on any interface. One thing to understand about this is that when the static translation is configured like this then the ASA will respond to ARP requests or forward packets to these addresses even when they are not assigned on an interface.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-03-2009 11:58 AM

Gary

You don't need a front end router. As long as the ISP is routing the /28 network to the outside of your ASA, and they should be, then all you need to do is add static statements on your ASA device, plus allow access with acl's obviously.

So

static (dmz,outside) y.y.y.1 172.16.0.10 netmask 255.255.255.255

will allow clients on the internet to access y.y.y.1 and this will be directed to the dmz server 172.16.0.10.

Jon

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-03-2009 11:59 AM

Gary

If I am understanding your explanation you are currently doing translation with overload on the outside address. And now you want to use the additional set of addresses provided by the ISP for public facing servers. The ASA can certainly do this and it does not require any additional router.

What you want to do is to configure a set of static translations to assign various addresses in the y.y.y block to various servers in the 172.16.0 DMZ. It might look something like this:

static (DMZ,outside) y.y.y.1 172.16.0.n netmask 255.255.255.255

I have configured translations like this and they work well. They use the second address block effectively even though the second address block does not appear on any interface. One thing to understand about this is that when the static translation is configured like this then the ASA will respond to ARP requests or forward packets to these addresses even when they are not assigned on an interface.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
bennettg
Level 1
Level 1
In response to Richard Burts

‎06-03-2009 12:24 PM

Jon and Rick,

Thank you very much - it's nice to see there is an easy to implement solution.

Thank you very much!

-Gary

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card