We have a client who has just got the BT business fibre that provides 5 usable static IP addresses, often referred to as "NO NAT 5". We are familiar with setting up the BT business connections with a PPPoE config on the outside interface connected directly to the BT Modem but where only one static IP address is used. However, this No NAT 5 product is a little more tricky. They assign a 255.255.255.248 mask giving the standard 8 addresses, of the 6 host addresses one is used on the ASA inside interface with NO NAT. The outside interface of the ASA gets a dynamic IP address from BT using DHCP which changes periodicaly, so in effect BT host the public addresses then send all traffic to the DHCP address assigned to the connection. My question is simply does anyone have a sample config showing how to configure the inside interfaces to route the various public IP addresses. For example our client has a web server which needs a NO NAT set up with the public IP address on the inside. They also have a LAN scope of 172.16.0.0/24 which is running NAT but uses one of the public IP addresses to access things like RDP to their server with port redirection. Any suggestions and help with the config greatly appreciated.
Instead of using one of the address on the ASA inside interface, I would just use all the addresses to configure NAT for your server. That means you don't have to physically configure the server with the public IP, and not wasting an extra public IP on the ASA inside interface.
Sorry for delay getting back on this one. The only reason we were looking at using one of the public addresses on the inside is because BT provide one address for the router or firewall, which then leaves 5 public IP addresses. The outside interface always gets a dynamic address via the DHCP setup, there is no other way according to BT. This client wants a number of devices and networks on the inside which is why they got the No NAT 5 product. We have suggested a single address and then redirect ports, but they insist doing it this way. We wanted to avoid NAT on the web server, but other inside networks can run NAT. Any thoughts on how the config might look?
Yes, that's correct BT assign a dynamic address to the outside interface obtained via DHCP and then route all traffic from the public IP address range to the dynamic address they have assigned. They call this dynamic peering. We have been looking at static routes for each public IP address and possible VLANs to handle each subnet behind the public address. It would seem that the IP address from the public range is in fact only needed on the BT router, so we think that 6 addresses are available. If this is correct then we can just set up standard config to route the public address back to the inside. Unfortunately we have 4 connections in our Lab of different specifications, but not one of these products, and we want to make sure this all works before going on site.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :