Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can I use public IPs on an ASA DMZ or does it have to be NATted

My ISP supplies a single x.x.x.x public IP address for my WAN interface and also routes a small public IP subnet to it so I can have a range of IPs to use.

On an ASA 5505 Can I have both a private LAN (10.x.x.x) and my public range set up on a DMZ? Or do the DMZ addresses have to be private also and NATted to the public WAN interface?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Can I use public IPs on an ASA DMZ or does it have to be NAT

Thomas

It is your choice. As long as the ISP routes the public IP subnet to your outside interface of the ASA and as long as the address on the outside interface of the ASA is not out of the same subnet then yes you can use that public addressing for servers on your DMZ.

Personally, i would recommend against it and use private addressing for your DMZ servers and NAT them to public IP addresses. Reason beng if you ever change ISP or need more public IP addressing it is easier to make changes on the firewall rather than potentially having to readdress the physical servers.

But you may have good reasons for using the public addressing on the servers and although NAT works with most applications it doesn't work will all of them.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Can I use public IPs on an ASA DMZ or does it have to be NAT

Thomas

It is your choice. As long as the ISP routes the public IP subnet to your outside interface of the ASA and as long as the address on the outside interface of the ASA is not out of the same subnet then yes you can use that public addressing for servers on your DMZ.

Personally, i would recommend against it and use private addressing for your DMZ servers and NAT them to public IP addresses. Reason beng if you ever change ISP or need more public IP addressing it is easier to make changes on the firewall rather than potentially having to readdress the physical servers.

But you may have good reasons for using the public addressing on the servers and although NAT works with most applications it doesn't work will all of them.

Jon

New Member

Re: Can I use public IPs on an ASA DMZ or does it have to be NAT

Thanks for your reply.

I asked the question mainly because I'm going to be replacing an old aging 26xx-series router with an ASA and wanted to make sure our existing public IP-ed DMZ would continue to work.

288
Views
0
Helpful
2
Replies