10-22-2009 11:04 AM - edited 03-04-2019 06:28 AM
Hi All, My Internet Connection is terminated on Router,passess the firewall and then LAN.
(ISP)''''''''Router''''''ASA'''''LAN
I have been told to connect Two PC with Public IP and it should be not part of LAN and not NATTED.
Can this be doable.
Solved! Go to Solution.
10-22-2009 12:35 PM
Joe
Okay then you are pretty much good to go.
Lets assume that you get the range 195.17.17.0/29.
assign 195.17.17.1 to the ASA interface.
assign 195.17.17.2 to PC1
assign 195.17.17.3 to PC3
to not NAT
access-list NONAT permit ip host 195.17.17.1 host 212.10.10.1
access-list NONAT permit ip host 195.17.17.2 host 212.10.10.1
nat (DMZ1) 0 access-list NONAT
** Couple of things to note about the above -
i) DMZ1 is the name of dmz interface created on the ASA. You can use any name you want
ii) 212.10.10.1 is the IP address of the server in the US that the PCs are connecting to
Make sure that the security level is less than the outside interface and traffic will be allowed by default to go out to the Internet.
Finally if you want to allow connections to be initiated from the US server to the PCs all the above is still relevant but you will also need to add entries to the acl on your outside interface.
Jon
10-22-2009 11:15 AM
Joe,
Yes, If you want to test something,you can use a PC configured with the Public IP address. Don't forget to configure the default gateway. However,it's a good idea to provide us more information about your requirement. What kind of internet media did ISP provide you?
Toshi
10-22-2009 11:19 AM
Joe
Bit more information is needed.
The public IPs, are they part of an existing range that is already in use on the router/firewall or are these separate addresses.
Could you provide some more details on the IP addressing.
Also, do you have spare interfaces on your ASA ? What model is it ?
I'm assuming that these PCs need protecting by the firewall ?
Jon
10-22-2009 11:28 AM
Hi Jon, I needed help on two different requirement. One this topic and another posted on Security section.
This is for Office2.
ISP give us /29 and we use one IP on Firewall and another for SMTP.
ISP is in same building so they drop Ethernet cable to the office.
When asked the department who requested to plug two PC with Public IP about security, they replied with a smile that the PC has software based firewall.
I would also be eager to understand if I have spare interface on firewall can I pass traffic without natting.
10-22-2009 11:39 AM
Joe
"I would also be eager to understand if I have spare interface on firewall can I pass traffic without natting."
Yes you can.
However if the /29 is already partly being used then you have a problem with putting the PCs on their own DMZ. You don't have enough addressing because the only thing down from a /29 is a /30 and this only gives you 2 addresses and you would need at least 3, one for the ASA dmz interface and 2 for the PCs.
So the only place you can place them if they have to have public IPs is between the firewall and the router and obviously then the firewall can't protect the PCs. You could use an acl on the router to give a form of rudimentary filtering but it is basic.
Why do they need public IPs, are connections being initiated to the PCs. Do these 2 PCs need to communicate with devices in your LAN.
Jon
10-22-2009 11:53 AM
Jon,
Unfortunately its partly used.
If I manage to get another /29 range from ISP, how to configure it.
PC dont need any connection with LAN.
10-22-2009 11:58 AM
Joe
If you can get another /29 then assuming you have a spare interface relatively straightforward.
Are you comfortable configuring the ASA interfaces ?
Also for the type of NAT to use i still need to understand whether connections will only be initiated from the PCs or can connections be initiated from the Internet to these PCs ?
One last question - if you place the PCs into a DMZ physically within the building where will they be ie. if you put them in a DMZ they need L2 adjacency with the ASA firewall - how easy will this be from a purely logistical point of view ?
Jon
10-22-2009 12:14 PM
I have one interface free on ASA
Not sure if connection needs to be initiated from outside, lets assume if needed.
Configuring the Interface, if you mean IP address then I m ok.
Request mentioned that the IP should not be NATTED.
PCs will be connected next to ASA Cabinet.
Maybe this info is helpful.
Pcs are running windows 2003 Server with harden OS.
Once the internet connection is provided to these PCs they will talk to another server in US running checkpoint firewall and custom application.
These PCs will have a printer connected directly to get printouts.
10-22-2009 12:35 PM
Joe
Okay then you are pretty much good to go.
Lets assume that you get the range 195.17.17.0/29.
assign 195.17.17.1 to the ASA interface.
assign 195.17.17.2 to PC1
assign 195.17.17.3 to PC3
to not NAT
access-list NONAT permit ip host 195.17.17.1 host 212.10.10.1
access-list NONAT permit ip host 195.17.17.2 host 212.10.10.1
nat (DMZ1) 0 access-list NONAT
** Couple of things to note about the above -
i) DMZ1 is the name of dmz interface created on the ASA. You can use any name you want
ii) 212.10.10.1 is the IP address of the server in the US that the PCs are connecting to
Make sure that the security level is less than the outside interface and traffic will be allowed by default to go out to the Internet.
Finally if you want to allow connections to be initiated from the US server to the PCs all the above is still relevant but you will also need to add entries to the acl on your outside interface.
Jon
10-22-2009 12:44 PM
This is very very clear.
I will test once I get IP
Thanks so much Jon.
10-22-2009 12:46 PM
No problem, glad to have helped.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide