06-28-2010 03:25 PM - edited 03-11-2019 11:04 AM
I have an isp that delivers an ethernet hand off with a /30 public subnet. They also provide a /28 public block for our use.
They recommend;
/30 => edge router => /28 => firewall => LAN (using 1 to 1 NAT & 1 to many NAT)
Can we use the ASA 5505 as both the edge router and the firewall? Where, /30 => /28 => LAN all happens in the ASA?
06-28-2010 04:06 PM
Hi,
I don't see why you can't do that.
The ASA can handle the Internet connection and provide network services to the internal LAN.
The /30 can be on the outside and /28 on the inside.
The ASA has the restriction that cannot use multiple default gateways, but if you have a single Internet connection, I don't see a problem.
Federico.
06-29-2010 06:15 AM
If I have the /30 on the outside and the /28 on the inside, how do I get the NATing from the /28 to the LAN accomplished?
06-29-2010 06:37 AM
You can have the ASA with the /30 on the outside and /28 on the inside.
Then, you can create NAT on the ASA using the /30 and the /28.
Even if the /28 is on the inside, you can create the NAT on the ASA with the correct routes.
Federico.
06-29-2010 07:05 AM
Hello.
Steve if you do not want to NAT the /28 Network (INSIDE) you can go ahead and vreate a NET exemption.
Create an ACL
Access-list NONAT per ip (Public /28 Network) any
NAT (inside) 0 access-list NONAT
With this configuration your /28 network will not be nat'ed by the ASA.
I don't know if I understand your problem
You have a public /30 network in your OUTSIDE and a Public /28 in your inside. Is that right?
06-29-2010 07:08 AM
Steve.
Are you going to use the /30 network for the comunication with your ISP and the /28 Network for the NATs?
06-29-2010 07:13 AM
Diego,
Yes, the /30 is for communication to the ISP. The /28 is our useable block of public IP addresses. The /28 needs to be NATed to the LAN (10.x.y.x/23).
06-29-2010 07:36 AM
Hello,
Since you are using the same ISP you can go ahead and configure the OUTSIDE with the /30 network and the /28 for the NATs. you will only need to specify One defualt route.
If you need help for the NAT let us know
06-29-2010 07:38 AM
Diego,
Thanks, I do need help with the NAT. I also need a port on the ASA to be on the 10.x.y.z/23 private subnet. Any help you can give on configuration is appreciated.
06-29-2010 07:36 AM
The \30 is used for the ISP's routing and is invisible to users accessing our domain. The ISP routes through the /30 to deliver traffic to the /28 we use for our domain. But I have to terminate our edge equipment to the /30 to get connected to the internet.
06-29-2010 07:43 AM
send me the current config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide