help!! setting up firewall with access to public addressed server

Unanswered Question
Sep 16th, 2009
User Badges:

I want to put an ASA with 2 interfaces, one outside, the other a dmz interface. In the DMZ will be a server, however, the server will have a public IP address assigned to it, so not NATng will take place. How do I setup the interfaces and allow the outside to connect to it? The server has an ip in the same subnet as the static IP I will be giving the outside interface? how do I make this work, as it was my understanding that I need to put an IP on the dmz interface also, and that has to be in the same range as the server, but different subnet altogether than the outside interface?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alig.norbert Wed, 09/16/2009 - 11:30
User Badges:

If you have only 2 IP's in the same subnet, there is no possibility to get it work. The only solution is:

- assign a private IP-Range on the DMZ

- the server in the DMZ an IP from the same DMZ range

- 1:1 NAT from DMZ (server IP) to second public IP (outside)

kumar@shasun Wed, 09/16/2009 - 20:43
User Badges:

yes, you assign private ip to DMZ Zone, and configure your one of the public ip outside interface, the configure static route to DMZ server to public ip. it'll work.

mark.j.hodge Thu, 09/17/2009 - 04:41
User Badges:
  • Bronze, 100 points or more

If I understand your scenario correctly, your best option would be to run the ASA in transparent mode.


This way the ASA would not have any IP addresses on either the "internet" or "DMZ" interfaces. You would probably have one on the MGT interface.

mark.j.hodge Fri, 09/18/2009 - 03:09
User Badges:
  • Bronze, 100 points or more

In the scenario posted it was stated :-


"In the DMZ will be a server, however, the server will have a public IP address assigned to it, so not NATng will take place"


The example you point to shows a NAT of the outside address to the inside address :-


"static (dmz,outside) 192.168.200.227 172.16.31.10 netmask 255.255.255.255"


The only options available if no NATing is to take place is either to route the traffic or bridge it. As the DMZ address is intended to be on the same subnet as the outside address routing is not possible, therfore it needs to be bridged, i.e. a transparent firewall.

Actions

This Discussion