help!! setting up firewall with access to public addressed server

Unanswered Question
Sep 16th, 2009

I want to put an ASA with 2 interfaces, one outside, the other a dmz interface. In the DMZ will be a server, however, the server will have a public IP address assigned to it, so not NATng will take place. How do I setup the interfaces and allow the outside to connect to it? The server has an ip in the same subnet as the static IP I will be giving the outside interface? how do I make this work, as it was my understanding that I need to put an IP on the dmz interface also, and that has to be in the same range as the server, but different subnet altogether than the outside interface?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alig.norbert Wed, 09/16/2009 - 11:30

If you have only 2 IP's in the same subnet, there is no possibility to get it work. The only solution is:

- assign a private IP-Range on the DMZ

- the server in the DMZ an IP from the same DMZ range

- 1:1 NAT from DMZ (server IP) to second public IP (outside)

mark.j.hodge Thu, 09/17/2009 - 04:41

If I understand your scenario correctly, your best option would be to run the ASA in transparent mode.

This way the ASA would not have any IP addresses on either the "internet" or "DMZ" interfaces. You would probably have one on the MGT interface.

mark.j.hodge Fri, 09/18/2009 - 03:09

In the scenario posted it was stated :-

"In the DMZ will be a server, however, the server will have a public IP address assigned to it, so not NATng will take place"

The example you point to shows a NAT of the outside address to the inside address :-

"static (dmz,outside) 192.168.200.227 172.16.31.10 netmask 255.255.255.255"

The only options available if no NATing is to take place is either to route the traffic or bridge it. As the DMZ address is intended to be on the same subnet as the outside address routing is not possible, therfore it needs to be bridged, i.e. a transparent firewall.

Actions

This Discussion