Cisco ASA question,
if I can carve small range of global IP addresses from big IP range that exists on outside and put this small range to dmz interface?.
The task is to have a few servers assigned global IP but have them behind a firewall so we can control traffic towards them.
Well, apparently it is doable,wondering if there are any drawbacks with that?
10.x.x.x it this test represent globally routable IP addresses from ISP
Three-interface ASA used for testing in the LAB:
Outside: 10.10.104.2 / 22
Dmz: 10.10.107.241 / 28 <- within "outside" ip range
Inside: 220.127.116.11 / 24
global (dmz,outside) 10.10.107.250 10.10.107.250 netmask 255.255.255.255
global (inside,outside) 10.10.107.238 18.104.22.168 netmask 255.255.255.255,
there are hosts .250 connected on inside and dmz to hangle traffic.
+ Access list "in" on outside permitting everithing to everything
ASA takes configuring "overlapping" ip ranges on Outside and DMZ without warning and
I can access 10.10.107.250 and 10.10.107.238 successfully from outside
I was changing the mask on outside interface from /8 to /23, and as far as the network 10.10.107.240/28 appears to "outside world" as part of "ASA controlled" range and traffic comes to ASA - everything works fine.
Router would not allow me to configure overlapping ranges, ASA does allow and able to pass traffic, which is good.
Basically the question becomes, is it a bug or a feature?