Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4917
Views
0
Helpful
6
Replies

ASA 5510 DMZ to support public IPs

Go to solution
kyle.heath
Level 1
Level 1

‎03-23-2010 03:46 PM - edited ‎03-11-2019 10:25 AM

I have just started using an ASA 5510 after Cisco 877 and 1841 routers and have been asked to setup a DMZ that can support multiple computers with routable public IPs, this is for certain clients that must VPN from a public IP and not a NAT IP.

I have got my dynamic NAT working from my inside to outside networks, added a dmz to outside for wireless clients, now all I need to do is get this dmz for public ip clients working.

I will admit at this stage I cannot work out what type of NAT is needed as I dont want to translate any IPs I just want to route them through the dmz interface out to the Internet gateway.  Does this situation require the NAT exemption rules?

I have an IP assignment of 6 usable IP addresses and I was planning to subnet these into two further blocks of 2 usable addresses, so going from a /29 to two /30 subnets as I understand that I cannot have two interfaces that overlap each other.

I may just be over complicating this due to inexperience with the ASA, all I need to do is allow clients to have a public IP on their laptops and connect this to the ASA DMZ port.

Cheers

Kyle

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to kyle.heath

‎03-24-2010 03:59 AM 

kyle.heath wrote:
Thanks Jon,   so I can keep the /29 subnet then?  I tried to assign one IP to the outside interface and one to the dmz interface and I got the warning that networks cannot overlap, this is why I took the /29 and made it two /30 instead. 
Am I right that the static nat translates the public ip range from the dmz to the outside interface without changing the ips?  in this case what ip will go on the dmz interface so that the dmz and outside interface do not overlap?

Kyle

Sorry i didn't get the fact that you were trying to use the same /29 subnet for the outside and the DMZ. Ordinarily the /29 would be applied to the outside interface and then static NAT setup for the DMZ servers ie.

static (dmz,outside) 195.17.17.11 192.168.5.10 netmask 255.255.255.255

where 192.168.5.10 is the real IP of the dmz server.

But you want the real public IPs to be assigned to the dmz servers so yes you will have to create 2 /30s to achieve this.

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-23-2010 04:44 PM

Kyle

I'm not sure why you need to subnet down the /29 but anyway to have a DMZ using public IPs you can either

1) use a static NAT ie.

    static (dmz,outside) 195.17.17.0 195.17.17.0 255.255.255.248  or 255.255.255.252 if you subnet down to /30

or

2) nat exemption

access-list nonat permit ip 195.17.17.0 255.255.255.248 any

nat (dmz) 0 access-list nonat

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

0 Helpful

Go to solution
kyle.heath
Level 1
Level 1
In response to Jon Marshall

‎03-24-2010 12:47 AM

Thanks Jon,   so I can keep the /29 subnet then?  I tried to assign one IP to the outside interface and one to the dmz interface and I got the warning that networks cannot overlap, this is why I took the /29 and made it two /30 instead.

Am I right that the static nat translates the public ip range from the dmz to the outside interface without changing the ips?  in this case what ip will go on the dmz interface so that the dmz and outside interface do not overlap?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to kyle.heath

‎03-24-2010 03:59 AM 

kyle.heath wrote:
Thanks Jon,   so I can keep the /29 subnet then?  I tried to assign one IP to the outside interface and one to the dmz interface and I got the warning that networks cannot overlap, this is why I took the /29 and made it two /30 instead. 
Am I right that the static nat translates the public ip range from the dmz to the outside interface without changing the ips?  in this case what ip will go on the dmz interface so that the dmz and outside interface do not overlap?

Kyle

Sorry i didn't get the fact that you were trying to use the same /29 subnet for the outside and the DMZ. Ordinarily the /29 would be applied to the outside interface and then static NAT setup for the DMZ servers ie.

static (dmz,outside) 195.17.17.11 192.168.5.10 netmask 255.255.255.255

where 192.168.5.10 is the real IP of the dmz server.

But you want the real public IPs to be assigned to the dmz servers so yes you will have to create 2 /30s to achieve this.

Jon

0 Helpful

Go to solution
kyle.heath
Level 1
Level 1
In response to Jon Marshall

‎03-24-2010 04:07 AM

Thanks Jon,  The setup was not my choice but the request of another department so it was thrust upon me.  I have created the two /30 subnets and then assigned the first IP in each to the outside and dmz interfaces, for the dmz client I have made the gateway the dmz interface.

Will this still work if the actual gateway to the ADSL circuit is one address in the /29 that is not part of the dmz /30?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to kyle.heath

‎03-24-2010 04:23 AM 

kyle.heath wrote:
Will this still work if the actual gateway to the ADSL circuit is one address in the /29 that is not part of the dmz /30?

Kyle

Do you mean will return traffic get routed back to the DMZ ?

That could be a problem if you used a nat exemption because the traffic for the DMZ subnet needs to be routed to the outside interface of the ASA so the device upstream from the ASA needs to know that the /30 dmz subnet is no longer local ie. if the upstream device thinks it is a /29 it will think the dmz addresses are on it's subnet but they aren't because you have split them up.

If you use static statements as in my previous post and make sure proxyarp is enabled on the ASA outside interface (which it should be by default) then it should work fine but you need to test because i have never done that before ie. i have used private addressing and natted to public for a dmz and i have used public addressing on a dmz but the routing was in place for it.

Jon

0 Helpful

Go to solution
kyle.heath
Level 1
Level 1
In response to Jon Marshall

‎03-24-2010 04:31 AM

I thought this might be the case, the /30 for the dmz cannot know about the /29 without some routing.  The dept have asked for public IPs on the clients for VPN purposes and I agree I would normally nat to a private ip in the dmz.

I think I am going to take this up internally as to why this config is required and what they cannot VPN from behind a NAT.


Cheers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card