Let DMZ have a public network, static route?

Unanswered Question
Sep 9th, 2010
User Badges:

Hi,


My internet provider provides one /30 network and one /24 network over one link. No VLAN tagging is done by them. I would like not to use PAT and internal IP's on the DMZ, but to let DMZ hosts use IP's in the /24 network. I figure the ASA must know that incoming and outgoing traffic to and for the /24 should be routed to the DMZ. As I have no ASA in front of me now, I wonder if a static route on outside interface would be sufficient?


ASA primary WAN IP: 1.2.3.4

ASA DMZ interface IP: 5.6.7.1

ASA /24 network that goes to DMZ: 5.6.7.0/24

LAN: 10.10.10.0/24


Would something like this route be sufficient?

ciscoasa(config-if)# route outside 5.6.7.0 255.255.255.0 5.6.7.1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Thu, 09/09/2010 - 09:05
User Badges:
  • Bronze, 100 points or more

You will not need to route traffic directly connected. You only need the default gateway.


If you are going to use the public IP in your DMZ then you will need to do NO nAT


ie.


access-list nonat per ip 5.6.7.0 255.255.255.0 any

nat (dmz) 0 access-list nonat


That should work for outbound traffic


for inbound traffic you will need an ACL in your outside to permit the traffic.



BTW you cannot route traffic based on the source only based on the destination. (in the ASA)

Actions

This Discussion