Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 firewall / edge router double duty?

I have an isp that delivers an ethernet hand off with a /30 public subnet.  They also provide a /28 public block for our use.

They recommend;

/30   =>  edge router  =>  /28  =>  firewall  =>  LAN   (using 1 to 1 NAT & 1 to many NAT)

Can we use the ASA 5505 as both the edge router and the firewall?  Where, /30  =>  /28  =>  LAN  all happens in the ASA?

10 REPLIES

Re: ASA 5505 firewall / edge router double duty?

Hi,

I don't see why you can't do that.

The ASA can handle the Internet connection and provide network services to the internal LAN.

The /30 can be on the outside and /28 on the inside.

The ASA has the restriction that cannot use multiple default gateways, but if you have a single Internet connection, I don't see a problem.

Federico.

New Member

Re: ASA 5505 firewall / edge router double duty?

If I have the /30 on the outside and the /28 on the inside, how do I get the NATing from the /28 to the LAN accomplished?

Re: ASA 5505 firewall / edge router double duty?

You can have the ASA with the /30 on the outside and /28 on the inside.
Then, you can create NAT on the ASA using the /30 and the /28.

Even if the /28 is on the inside, you can create the NAT on the ASA with the correct routes.

Federico.

Re: ASA 5505 firewall / edge router double duty?

Hello.

Steve if you do not want to NAT the /28 Network (INSIDE) you can go ahead and vreate a NET exemption.

Create an ACL

Access-list NONAT per ip (Public /28 Network) any

NAT (inside) 0 access-list NONAT

With this configuration your /28 network will not be nat'ed by the ASA.

I don't know if I understand your problem

You have a public /30  network in your OUTSIDE and a Public /28 in your inside.  Is that right?

Re: ASA 5505 firewall / edge router double duty?

Steve.

Are you going to use the /30 network for the comunication with your ISP and the /28 Network for the NATs?

New Member

Re: ASA 5505 firewall / edge router double duty?

Diego,

Yes,  the /30 is for communication to the ISP.  The /28 is our useable block of public IP addresses.  The /28 needs to be NATed to the LAN (10.x.y.x/23).

Re: ASA 5505 firewall / edge router double duty?

Hello,

Since you are using the same ISP you can go ahead and configure the OUTSIDE with the /30 network and the /28 for the NATs. you will only need to specify One defualt route.

If you need help for the NAT let us know

New Member

Re: ASA 5505 firewall / edge router double duty?

Diego,

Thanks, I do need help with the NAT.  I also need a port on the ASA to be on the 10.x.y.z/23 private subnet.  Any help you can give on configuration is appreciated.

New Member

Re: ASA 5505 firewall / edge router double duty?

The \30 is used for the ISP's routing and is invisible to users accessing our domain.  The ISP routes through the /30 to deliver traffic to the /28 we use for our domain.  But I have to terminate our edge equipment to the /30 to get connected to the internet.

Re: ASA 5505 firewall / edge router double duty?

send me the current config.

2092
Views
0
Helpful
10
Replies
CreatePlease login to create content