ASA 5505 firewall / edge router double duty?

Unanswered Question

I have an isp that delivers an ethernet hand off with a /30 public subnet.  They also provide a /28 public block for our use.

They recommend;

/30   =>  edge router  =>  /28  =>  firewall  =>  LAN   (using 1 to 1 NAT & 1 to many NAT)

Can we use the ASA 5505 as both the edge router and the firewall?  Where, /30  =>  /28  =>  LAN  all happens in the ASA?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Mon, 06/28/2010 - 16:06


I don't see why you can't do that.

The ASA can handle the Internet connection and provide network services to the internal LAN.

The /30 can be on the outside and /28 on the inside.

The ASA has the restriction that cannot use multiple default gateways, but if you have a single Internet connection, I don't see a problem.


Federico Coto F... Tue, 06/29/2010 - 06:37

You can have the ASA with the /30 on the outside and /28 on the inside.
Then, you can create NAT on the ASA using the /30 and the /28.

Even if the /28 is on the inside, you can create the NAT on the ASA with the correct routes.


Diego Armando C... Tue, 06/29/2010 - 07:05


Steve if you do not want to NAT the /28 Network (INSIDE) you can go ahead and vreate a NET exemption.

Create an ACL

Access-list NONAT per ip (Public /28 Network) any

NAT (inside) 0 access-list NONAT

With this configuration your /28 network will not be nat'ed by the ASA.

I don't know if I understand your problem

You have a public /30  network in your OUTSIDE and a Public /28 in your inside.  Is that right?

Diego Armando C... Tue, 06/29/2010 - 07:08


Are you going to use the /30 network for the comunication with your ISP and the /28 Network for the NATs?

Diego Armando C... Tue, 06/29/2010 - 07:36


Since you are using the same ISP you can go ahead and configure the OUTSIDE with the /30 network and the /28 for the NATs. you will only need to specify One defualt route.

If you need help for the NAT let us know


This Discussion