cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
562
Views
0
Helpful
5
Replies

help!! setting up firewall with access to public addressed server

mjsully
Level 1
Level 1

I want to put an ASA with 2 interfaces, one outside, the other a dmz interface. In the DMZ will be a server, however, the server will have a public IP address assigned to it, so not NATng will take place. How do I setup the interfaces and allow the outside to connect to it? The server has an ip in the same subnet as the static IP I will be giving the outside interface? how do I make this work, as it was my understanding that I need to put an IP on the dmz interface also, and that has to be in the same range as the server, but different subnet altogether than the outside interface?

5 Replies 5

alig.norbert
Level 4
Level 4

If you have only 2 IP's in the same subnet, there is no possibility to get it work. The only solution is:

- assign a private IP-Range on the DMZ

- the server in the DMZ an IP from the same DMZ range

- 1:1 NAT from DMZ (server IP) to second public IP (outside)

kumar
Level 1
Level 1

yes, you assign private ip to DMZ Zone, and configure your one of the public ip outside interface, the configure static route to DMZ server to public ip. it'll work.

mark.j.hodge
Level 3
Level 3

If I understand your scenario correctly, your best option would be to run the ASA in transparent mode.

This way the ASA would not have any IP addresses on either the "internet" or "DMZ" interfaces. You would probably have one on the MGT interface.

In the scenario posted it was stated :-

"In the DMZ will be a server, however, the server will have a public IP address assigned to it, so not NATng will take place"

The example you point to shows a NAT of the outside address to the inside address :-

"static (dmz,outside) 192.168.200.227 172.16.31.10 netmask 255.255.255.255"

The only options available if no NATing is to take place is either to route the traffic or bridge it. As the DMZ address is intended to be on the same subnet as the outside address routing is not possible, therfore it needs to be bridged, i.e. a transparent firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: