PC with Public IP and not NATTED

Answered Question
Oct 22nd, 2009

Hi All, My Internet Connection is terminated on Router,passess the firewall and then LAN.

(ISP)''''''''Router''''''ASA'''''LAN

I have been told to connect Two PC with Public IP and it should be not part of LAN and not NATTED.

Can this be doable.

Correct Answer by Jon Marshall about 7 years 4 months ago

Joe

Okay then you are pretty much good to go.

Lets assume that you get the range 195.17.17.0/29.

assign 195.17.17.1 to the ASA interface.

assign 195.17.17.2 to PC1

assign 195.17.17.3 to PC3

to not NAT

access-list NONAT permit ip host 195.17.17.1 host 212.10.10.1

access-list NONAT permit ip host 195.17.17.2 host 212.10.10.1

nat (DMZ1) 0 access-list NONAT

** Couple of things to note about the above -

i) DMZ1 is the name of dmz interface created on the ASA. You can use any name you want

ii) 212.10.10.1 is the IP address of the server in the US that the PCs are connecting to

Make sure that the security level is less than the outside interface and traffic will be allowed by default to go out to the Internet.

Finally if you want to allow connections to be initiated from the US server to the PCs all the above is still relevant but you will also need to add entries to the acl on your outside interface.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
thotsaphon Thu, 10/22/2009 - 11:15

Joe,

Yes, If you want to test something,you can use a PC configured with the Public IP address. Don't forget to configure the default gateway. However,it's a good idea to provide us more information about your requirement. What kind of internet media did ISP provide you?

Toshi

Jon Marshall Thu, 10/22/2009 - 11:19

Joe

Bit more information is needed.

The public IPs, are they part of an existing range that is already in use on the router/firewall or are these separate addresses.

Could you provide some more details on the IP addressing.

Also, do you have spare interfaces on your ASA ? What model is it ?

I'm assuming that these PCs need protecting by the firewall ?

Jon

joe.marcelo9 Thu, 10/22/2009 - 11:28

Hi Jon, I needed help on two different requirement. One this topic and another posted on Security section.

This is for Office2.

ISP give us /29 and we use one IP on Firewall and another for SMTP.

ISP is in same building so they drop Ethernet cable to the office.

When asked the department who requested to plug two PC with Public IP about security, they replied with a smile that the PC has software based firewall.

I would also be eager to understand if I have spare interface on firewall can I pass traffic without natting.

Jon Marshall Thu, 10/22/2009 - 11:39

Joe

"I would also be eager to understand if I have spare interface on firewall can I pass traffic without natting."

Yes you can.

However if the /29 is already partly being used then you have a problem with putting the PCs on their own DMZ. You don't have enough addressing because the only thing down from a /29 is a /30 and this only gives you 2 addresses and you would need at least 3, one for the ASA dmz interface and 2 for the PCs.

So the only place you can place them if they have to have public IPs is between the firewall and the router and obviously then the firewall can't protect the PCs. You could use an acl on the router to give a form of rudimentary filtering but it is basic.

Why do they need public IPs, are connections being initiated to the PCs. Do these 2 PCs need to communicate with devices in your LAN.

Jon

joe.marcelo9 Thu, 10/22/2009 - 11:53

Jon,

Unfortunately its partly used.

If I manage to get another /29 range from ISP, how to configure it.

PC dont need any connection with LAN.

Jon Marshall Thu, 10/22/2009 - 11:58

Joe

If you can get another /29 then assuming you have a spare interface relatively straightforward.

Are you comfortable configuring the ASA interfaces ?

Also for the type of NAT to use i still need to understand whether connections will only be initiated from the PCs or can connections be initiated from the Internet to these PCs ?

One last question - if you place the PCs into a DMZ physically within the building where will they be ie. if you put them in a DMZ they need L2 adjacency with the ASA firewall - how easy will this be from a purely logistical point of view ?

Jon

joe.marcelo9 Thu, 10/22/2009 - 12:14

I have one interface free on ASA

Not sure if connection needs to be initiated from outside, lets assume if needed.

Configuring the Interface, if you mean IP address then I m ok.

Request mentioned that the IP should not be NATTED.

PCs will be connected next to ASA Cabinet.

Maybe this info is helpful.

Pcs are running windows 2003 Server with harden OS.

Once the internet connection is provided to these PCs they will talk to another server in US running checkpoint firewall and custom application.

These PCs will have a printer connected directly to get printouts.

Correct Answer
Jon Marshall Thu, 10/22/2009 - 12:35

Joe

Okay then you are pretty much good to go.

Lets assume that you get the range 195.17.17.0/29.

assign 195.17.17.1 to the ASA interface.

assign 195.17.17.2 to PC1

assign 195.17.17.3 to PC3

to not NAT

access-list NONAT permit ip host 195.17.17.1 host 212.10.10.1

access-list NONAT permit ip host 195.17.17.2 host 212.10.10.1

nat (DMZ1) 0 access-list NONAT

** Couple of things to note about the above -

i) DMZ1 is the name of dmz interface created on the ASA. You can use any name you want

ii) 212.10.10.1 is the IP address of the server in the US that the PCs are connecting to

Make sure that the security level is less than the outside interface and traffic will be allowed by default to go out to the Internet.

Finally if you want to allow connections to be initiated from the US server to the PCs all the above is still relevant but you will also need to add entries to the acl on your outside interface.

Jon

Actions

This Discussion