Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA with an extra public subnet

Hi,

Need some help/guidelines…

I got an extra public subnet from my ISP. They route it to my firewalls public ip so I can use it in the existing firewall.

I want to:
-Use public ip addresses on the servers on the new interface (have a few servers that cannot use nat)
-Source address from the servers should be the servers public ip, not the firewall pat.
-Allow all interfaces (with private addresses) with higher security level to access the new interface

When I place a server on the new interface it’s working to access internet. My first problem was that the source address when going to internet was my firewalls pat address.
Fixed that with the command:

nat (DMZ2, Outside) 1 source static any any

First question is if that is the correct way to do it?

Next problem is that I can’t access the server from my other internal interfaces (with higher security level) The interfaces use private addresses so I have tried to setup a nat rule with no success, for example:

nat (Inside, DMZ2) 2 source dynamic any interface

I have a asa 5512-x and use the latest software.

thanks for any advice

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: ASA with an extra public subnet

Hi,

So I assume that you want to use the extra public subnet on the actual devices behind a new ASA interface?

In this case you naturally configure one address from that subnet on the ASA interface directly and the rest can be used for the actual servers.

The NAT should not really be a problem either. If you have specified the the NAT rules correctly by referencing the actual source/destination interfaces in the NAT configurations and also the correct source networks then you would NOT really need ANY NAT configuration for this new interface and its public subnet.

On the other hand if you have used "any" parameter both at the interface and specifying the source networks then you are naturally in a different situation.

I wouldnt suggest using the format you use above. If your public subnet was 1.1.1.0/28 for example I would configure

object network PUBLIC-SUBNET

subnet 1.1.1.0 255.255.255.240

nat (DMZ2,Outside) source static PUBLIC-SUBNET PUBLIC-SUBNET

There should be no problem contacting this network through the other interfaces either and this traffic between the interface should not require any extra NAT configurations either. I wouldnt configure Dynamic PAT between local interfaces. It just creates needles complexity in the NAT configurations.

You talk about "security-level" in your post. For a "security-level" to have any meaning in controlling traffic would mean that you dont have any interface ACLs configured? If you dont have ACLs configured on your interfaces then naturally the value of interface DMZ2 must be lower than the interfaces which connect to the DMZ2 networks.

If you DO have ACLs configured to your interface then you should allow the traffic to the new DMZ network in those interface ACLs.

If you need to test what the ASA would do to the traffic/packets going from existing networks to the new DMZ network then you could use "packet-tracer" command to simulate that traffic and find possible problems with the configurations.

- Jouni

2 REPLIES
Super Bronze

Re: ASA with an extra public subnet

Hi,

So I assume that you want to use the extra public subnet on the actual devices behind a new ASA interface?

In this case you naturally configure one address from that subnet on the ASA interface directly and the rest can be used for the actual servers.

The NAT should not really be a problem either. If you have specified the the NAT rules correctly by referencing the actual source/destination interfaces in the NAT configurations and also the correct source networks then you would NOT really need ANY NAT configuration for this new interface and its public subnet.

On the other hand if you have used "any" parameter both at the interface and specifying the source networks then you are naturally in a different situation.

I wouldnt suggest using the format you use above. If your public subnet was 1.1.1.0/28 for example I would configure

object network PUBLIC-SUBNET

subnet 1.1.1.0 255.255.255.240

nat (DMZ2,Outside) source static PUBLIC-SUBNET PUBLIC-SUBNET

There should be no problem contacting this network through the other interfaces either and this traffic between the interface should not require any extra NAT configurations either. I wouldnt configure Dynamic PAT between local interfaces. It just creates needles complexity in the NAT configurations.

You talk about "security-level" in your post. For a "security-level" to have any meaning in controlling traffic would mean that you dont have any interface ACLs configured? If you dont have ACLs configured on your interfaces then naturally the value of interface DMZ2 must be lower than the interfaces which connect to the DMZ2 networks.

If you DO have ACLs configured to your interface then you should allow the traffic to the new DMZ network in those interface ACLs.

If you need to test what the ASA would do to the traffic/packets going from existing networks to the new DMZ network then you could use "packet-tracer" command to simulate that traffic and find possible problems with the configurations.

- Jouni

New Member

Re: ASA with an extra public subnet

Thank you Jouni,

That solved my problem

114
Views
0
Helpful
2
Replies
CreatePlease to create content