I just wanted to know a basic answer I guess... does the ASA5510 only act as a routing device or can I deploy it within a network already having a router as a gateway?
I already have a network setup with around 100 hosts (out of 254). I have to deploy the firewall on 6 hosts within it, can I just assign IP addresses to its external and internal interface from within the network and connect those hosts to its internal interface ?
Or do I have to set it up as a gateway for those hosts ?
I have 6 hosts on a network 31.8 - 31.13 , I want these hosts to be behind the ASA5510 so is it possible to connect the external interface of the ASA5510 to the switch and then the 6 hosts to its internal interface? The other hosts still remain connected to the switch.
So the ASA just acts as a bridge I guess and if I address it's external interface as 31.6 and the internal interface as 31.7 and the required hosts connected through a hub to 31.7, will the firewall server the purpose this way ?
Ok, we have around 200 servers on the network 31.0 - 31.255 at the DC. One of our clients having 6 servers within needs his servers to be secured by ASA5510 with ACLs and Crypto tunnels. I have configured the firewall but I was looking for a way to deploy the firewall on those servers without actually changing the IP addresses of the servers.
Being technically aware that I should create a /29 subnet for the 6 servers and then deploy the firewall as the gateway, I was looking for a workaround as the guys at the data center will not put efforts in subnetting and I can not do it remotely.
You really should make changes on infrastructure while adding a firewall doesnt matter if it is PIX, Microsoft ISA or etc. What you want achieve is a Demilitarized Zone (DMZ) for these 6 servers take place. But you can not assign IP adresses to two different interfaces in same network. Each interface should have different netwokrs.
Besides as you know, a host do not require a gateway to pass through if the destination host is in same network, so firewall would not function in this case.
A scruffy workaround is, adding another PIX or router, creating a network between, then creating one-to-one NATs like
^_______^ ^___________^ ^___________^
DMZ CO-NETWORK REAL NETWORK
The CO-Network will be unseen for both real network and DMZ. ASA's outside interface is directly connected to router's inside interface. And router's outside interface is connected to real network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...