I have an isp that delivers an ethernet hand off with a /30 public subnet. They also provide a /28 public block for our use.
/30 => edge router => /28 => firewall => LAN (using 1 to 1 NAT & 1 to many NAT)
Can we use the ASA 5505 as both the edge router and the firewall? Where, /30 => /28 => LAN all happens in the ASA?
I don't see why you can't do that.
The ASA can handle the Internet connection and provide network services to the internal LAN.
The /30 can be on the outside and /28 on the inside.
The ASA has the restriction that cannot use multiple default gateways, but if you have a single Internet connection, I don't see a problem.
If I have the /30 on the outside and the /28 on the inside, how do I get the NATing from the /28 to the LAN accomplished?
You can have the ASA with the /30 on the outside and /28 on the inside.
Then, you can create NAT on the ASA using the /30 and the /28.
Even if the /28 is on the inside, you can create the NAT on the ASA with the correct routes.
Steve if you do not want to NAT the /28 Network (INSIDE) you can go ahead and vreate a NET exemption.
Create an ACL
Access-list NONAT per ip (Public /28 Network) any
NAT (inside) 0 access-list NONAT
With this configuration your /28 network will not be nat'ed by the ASA.
I don't know if I understand your problem
You have a public /30 network in your OUTSIDE and a Public /28 in your inside. Is that right?
Are you going to use the /30 network for the comunication with your ISP and the /28 Network for the NATs?
Yes, the /30 is for communication to the ISP. The /28 is our useable block of public IP addresses. The /28 needs to be NATed to the LAN (10.x.y.x/23).
Since you are using the same ISP you can go ahead and configure the OUTSIDE with the /30 network and the /28 for the NATs. you will only need to specify One defualt route.
If you need help for the NAT let us know
Thanks, I do need help with the NAT. I also need a port on the ASA to be on the 10.x.y.z/23 private subnet. Any help you can give on configuration is appreciated.
The \30 is used for the ISP's routing and is invisible to users accessing our domain. The ISP routes through the /30 to deliver traffic to the /28 we use for our domain. But I have to terminate our edge equipment to the /30 to get connected to the internet.