I have just started using an ASA 5510 after Cisco 877 and 1841 routers and have been asked to setup a DMZ that can support multiple computers with routable public IPs, this is for certain clients that must VPN from a public IP and not a NAT IP.
I have got my dynamic NAT working from my inside to outside networks, added a dmz to outside for wireless clients, now all I need to do is get this dmz for public ip clients working.
I will admit at this stage I cannot work out what type of NAT is needed as I dont want to translate any IPs I just want to route them through the dmz interface out to the Internet gateway. Does this situation require the NAT exemption rules?
I have an IP assignment of 6 usable IP addresses and I was planning to subnet these into two further blocks of 2 usable addresses, so going from a /29 to two /30 subnets as I understand that I cannot have two interfaces that overlap each other.
I may just be over complicating this due to inexperience with the ASA, all I need to do is allow clients to have a public IP on their laptops and connect this to the ASA DMZ port.
Thanks Jon, so I can keep the /29 subnet then? I tried to assign one IP to the outside interface and one to the dmz interface and I got the warning that networks cannot overlap, this is why I took the /29 and made it two /30 instead.
Am I right that the static nat translates the public ip range from the dmz to the outside interface without changing the ips? in this case what ip will go on the dmz interface so that the dmz and outside interface do not overlap?
Sorry i didn't get the fact that you were trying to use the same /29 subnet for the outside and the DMZ. Ordinarily the /29 would be applied to the outside interface and then static NAT setup for the DMZ servers ie.
static (dmz,outside) 188.8.131.52 192.168.5.10 netmask 255.255.255.255
where 192.168.5.10 is the real IP of the dmz server.
But you want the real public IPs to be assigned to the dmz servers so yes you will have to create 2 /30s to achieve this.