10.x.x.x as outside address

jogillis · ‎10-21-2013

We are changing ISPs and the Class C public subnet used for NATing and the outside of our ASA will no longer be used (by us). We actually have 3 Class C subnets for Internet traffic. There is an appliance used as the gateway of ASA's outside interface that does the final NATing according to a policy we create. Now the question, since I am going to be changing the NAT statements and outside interface of our ASA, would it cause any problems to use a 10.x.x.x Class C for these changes? This way if (when) we change ISPs again, I do not have to change the ASA only the policy on the outside appliance.

Jouni Forss · ‎10-21-2013

Hi,

So your are asking if you could use some subnet from the 10.0.0.0/8 network as the link network between your ASAs new WAN interface and the interface of the Router (or other device) in front of the ASA?

I don't think this should be a problem though I would personally prefer always for the ASA to have the public IP addresses directly. The NAT setup should be pretty simple after this on the ASA. I guess depending on if you had VPNs involved before this change they would have a bit different operation as the ASA would now be a device behind a NAT then again you probably wouldnt be using Dynamic PAT for the external IP address of the ASA on the Router in front of it anyway.

- Jouni

Marius Gunnerud · ‎10-22-2013

If you are the administrator of the device connected to the ASA's outside interface then you can configure the ASA to NAT how you want it to and then later on just change the configuration on the outside device to again NAT the addresses that the ASA has NATed to. It is a messy setup and as Jouni has mentioned it would be best to just have the public IP on the ASA.

On the other hand if you are not the administrator of that outside device, your future configurations will greatly depend on the ISP and how flexible they can be to meet your addressing needs.

--
Please remember to select a correct answer and rate helpful posts