cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6834
Views
14
Helpful
7
Replies

ASA outside interface - Public or Private IP address to ISP router?

rays
Level 1
Level 1

Hello, I am just wondering what is the best practice for assigning IP address to the outside interface of ASA? If you have a /28 public address space can you use private IP addresses between the ISP router and the ASA outside and simply have the ISP router route to the /28 via the ASA outside private  IP rather than using up valuable addresses from the public addresse space...

Is this supported and is there any downside to doing this?

Many thanks

Rays

1 Accepted Solution

Accepted Solutions

There really is no best practice for assigning IP addresses to the outside interface of an ASA, or router for that matter.  But a common practice is that either the first two IPs or last two IPs in the allocated subnet is used between the ISP and client.  The best practice part comes when configuring access restrictions to your network.

As for having private IPs between your ASA and the ISP really depends on if your ISP is willing to do this.  Unless you are connecting into an MPLS network, this is not a common practice. But having said that, it is possible.  But then you will need to be very careful when configuring NAT statements and make sure that you always NAT to the public IP and NOT the interface IP of the ASA for internet traffic.  The routing will be fine so long as your private IPs are translated.  Public IPs that enter your network will not have any issues when it comes to routing.

If this type of setup is supported by Cisco, I do not know. You would need to talk to someone at Cisco to get the answer to that, but I would imagine that it is supported (don't take my word for it though).

The downside is that you will need to make sure that your ISP is routing the public IPs to your ASA outside interface.  When things stop working, it can become very difficult to troubleshoot.  I would not recommend using this setup, if you can avoid doing so.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

7 Replies 7

david-swope
Level 1
Level 1

It really depends (everything pretty much always "depends") on your design. How is your network laid out, specifically the edge?

One way would be to use an "External" switch, a simple L2 switch and assign it an IP in the public range. Take your carriers L2 connection and plug it into an access port on the switch. Configure a public IP on the outside interface of the ASA and plug it into this switch.

This is very common as it's not a best practice to plug anything like that directly into your Core.

As far as assigning a private address to the outside, I don't quite follow that. How is the Internet being served? Via a L2 drop like above or via MPLS and you are across the WAN from say the main site that has the Internet connection?

 

 

 

 

 

 

There really is no best practice for assigning IP addresses to the outside interface of an ASA, or router for that matter.  But a common practice is that either the first two IPs or last two IPs in the allocated subnet is used between the ISP and client.  The best practice part comes when configuring access restrictions to your network.

As for having private IPs between your ASA and the ISP really depends on if your ISP is willing to do this.  Unless you are connecting into an MPLS network, this is not a common practice. But having said that, it is possible.  But then you will need to be very careful when configuring NAT statements and make sure that you always NAT to the public IP and NOT the interface IP of the ASA for internet traffic.  The routing will be fine so long as your private IPs are translated.  Public IPs that enter your network will not have any issues when it comes to routing.

If this type of setup is supported by Cisco, I do not know. You would need to talk to someone at Cisco to get the answer to that, but I would imagine that it is supported (don't take my word for it though).

The downside is that you will need to make sure that your ISP is routing the public IPs to your ASA outside interface.  When things stop working, it can become very difficult to troubleshoot.  I would not recommend using this setup, if you can avoid doing so.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thanks to everone  for all the answers. I guess there is no right or wrong answer but Marius I think you're thoughts on troubleshooting are the areas I was missing when I was thinking about it and that makes sense to me now.

The internet service I will have is dual ISP routers in an HSRP pair again based on the asnswers I guess I would need to give up 3x of my public addresses for HSRP?

One final question, if I decide to terminate my VPN on the ASA does this drive the requirement for a public address on the ASA outside interface?

Again thanks for the responses.

Rays

The internet service I will have is dual ISP routers in an HSRP pair again based on the asnswers I guess I would need to give up 3x of my public addresses for HSRP?

If your ISP is setting up HSRP then the ISP will require 3 public IPs and your ASA will require 1.  So, effectively 4 public IPs will be used for connectivity.

One final question, if I decide to terminate my VPN on the ASA does this drive the requirement for a public address on the ASA outside interface?

To terminate a VPN on the ASA, the ingress interface of the VPN (usually the outside interface) will need to be reachable by the remote VPN site and / or RA VPN client.  This is most commonly done by having a public IP on the outside interface of the ASA, but it is possible to do it with a private IP on the ASA outside interface.

To do this you ISP would need to NAT a public IP to the private IP of your ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Ray,

If you have private IP address on outside interface, which cannot be used as an peer ip address when it comes thru internet link..... unless you have the equivalent public IP address NATed to the private ip address of ASA.... Normally these kind of scenarios will be used when you have multiple fw on the LAN segment and you want to terminate VPN on the LAN FW..... So here you need to take static NAT of Private IP to Public IP peer address..... and internet FW will just act as NAT / Pass through and LAN FW will be doing VPN....

 

Regards

Karthik

nkarthikeyan
Level 7
Level 7

Hi,

 

If you wanna use your router to do NAT/PAT for your internal segment, then you can use private ip address on the outside interface IP..... but if you want your ASA to do NAT/PAT for your internal LAN then ASA should be configured with public ip...... in this case you are gonna give a single IP to the ISP router...... remaining all IP's you can use for your connections.... NAT/PAT/Port-Forwarding.... etc....

 

 

Regards

Karthik

Theoretically, the ASA does not need to be configured with the public IPs.  Those IPs just need to be routed to the ASA and the ASA needs to have NAT statements for them.  This will work.

However, if it is a good idea to do this is another thing.  As I mentioned, it will make troubleshooting much harder than it has to be.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: