For your first question, I not sure which line you are referring to that states that you need to configure the ASA as the default gateway. Here is an excerpt from the document:
"Do not specify the security appliance management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the security appliance as the default gateway."
So, the router will be the default gateway and you need to specify an IP for the ASA in the same subnet as the router and the clients so you can manage it. If you want to manage it via the management interface (out-of-band option), then you do not need to worry about it.
For your second question, if you have all hosts on the same VLAN and have different IP subnets (flat network with multiple subnets within the same vlan), and you are using secondary IP on the router, then you do not need to make any changes. The firewall will just forward the traffic. But if you have multiple internal VLANs, then either you need to configure multiple context or you need to configure a routed solution between the inside switch and the router.
- Any host from the outside or from the inside can connect on the http port from any server.
- But a host on the inside can't open a port (ex. 25) on a machine in the same interface, that doesn't work. It's the correct working, because IP packet use the gateway above the outside interface to return to a host in the inside interface, the firewall block each port not autorize by an ACL.
To solve this issue, I have add an ACL to permit tcp/udp ports :
access-list Acl_Outside extended permit tcp 100.100.100.0 255.255.255.0 any
access-list Acl_Outside extended permit udp 100.100.100.0 255.255.255.0 any
- I this the only/best way to permit trafic on the inside interface ? I have 10 subnets, I dont think it's a rigorous config.
- In transparent mode, route inside/route outside are mandatory ?
The reason the packets are going across the firewall could because the router is doing proxy-arp for the server IP. Can you disable proxy-arp on the router interface?
interface GigabitEthernet0/0.1 encapsulation dot1Q 1 native ip address 100.100.100.1 255.255.255.0
no ip proxy-arp
If you have multiple such subnets, you can go for multiple context and configure each context in transparent mode. Since the router will be taking care of the routing between subnets, you need to allow traffic to your servers exclusively through the access-lists (sourced from other subnets to your internal servers on a different VLAN).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...