Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA WAN/30 LAN/28 from ISP

I have a site where an ISP installed ethernet over copper and they have provided a WAN address w /30 mask (e.g. X.X.X.2/32) and 8 public LAN addresses (e.g. Y.Y.Y.1/28). There is an ASA5505 installed with the outside interface currently using the WAN pt-2-pt address (X.X.X.2/32).

We have run into limitations using PAT with the outside interface and now need to use the additional public LAN addresses provided by the ISP for public facing servers.

The firewall has an inside interface 10.1.10.0/24

There will be a DMZ 172.16.0.0/24 (Static translations will be from 172.16.0.0 to the public LAN addresses (Y.Y.Y.1/28)

There is an outside interface (currently using the WAN address X.X.X.2/32)

Is there a way the ASA5505 can accomplish this without a front-end router (e.g. using subinterfaces on the outside e0/0 interface for both the X.X.X.2/32 and the Y.Y.Y.1/28 network) or do I need to get a router to put infront of the firewall to handle the routing between the two public networks?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: ASA WAN/30 LAN/28 from ISP

Gary

You don't need a front end router. As long as the ISP is routing the /28 network to the outside of your ASA, and they should be, then all you need to do is add static statements on your ASA device, plus allow access with acl's obviously.

So

static (dmz,outside) y.y.y.1 172.16.0.10 netmask 255.255.255.255

will allow clients on the internet to access y.y.y.1 and this will be directed to the dmz server 172.16.0.10.

Jon

Hall of Fame Super Gold

Re: ASA WAN/30 LAN/28 from ISP

Gary

If I am understanding your explanation you are currently doing translation with overload on the outside address. And now you want to use the additional set of addresses provided by the ISP for public facing servers. The ASA can certainly do this and it does not require any additional router.

What you want to do is to configure a set of static translations to assign various addresses in the y.y.y block to various servers in the 172.16.0 DMZ. It might look something like this:

static (DMZ,outside) y.y.y.1 172.16.0.n netmask 255.255.255.255

I have configured translations like this and they work well. They use the second address block effectively even though the second address block does not appear on any interface. One thing to understand about this is that when the static translation is configured like this then the ASA will respond to ARP requests or forward packets to these addresses even when they are not assigned on an interface.

HTH

Rick

3 REPLIES
Hall of Fame Super Blue

Re: ASA WAN/30 LAN/28 from ISP

Gary

You don't need a front end router. As long as the ISP is routing the /28 network to the outside of your ASA, and they should be, then all you need to do is add static statements on your ASA device, plus allow access with acl's obviously.

So

static (dmz,outside) y.y.y.1 172.16.0.10 netmask 255.255.255.255

will allow clients on the internet to access y.y.y.1 and this will be directed to the dmz server 172.16.0.10.

Jon

Hall of Fame Super Gold

Re: ASA WAN/30 LAN/28 from ISP

Gary

If I am understanding your explanation you are currently doing translation with overload on the outside address. And now you want to use the additional set of addresses provided by the ISP for public facing servers. The ASA can certainly do this and it does not require any additional router.

What you want to do is to configure a set of static translations to assign various addresses in the y.y.y block to various servers in the 172.16.0 DMZ. It might look something like this:

static (DMZ,outside) y.y.y.1 172.16.0.n netmask 255.255.255.255

I have configured translations like this and they work well. They use the second address block effectively even though the second address block does not appear on any interface. One thing to understand about this is that when the static translation is configured like this then the ASA will respond to ARP requests or forward packets to these addresses even when they are not assigned on an interface.

HTH

Rick

New Member

Re: ASA WAN/30 LAN/28 from ISP

Jon and Rick,

Thank you very much - it's nice to see there is an easy to implement solution.

Thank you very much!

-Gary

344
Views
0
Helpful
3
Replies
CreatePlease to create content