Appreciate any help you can give here, I have a Cisco ASA that I am trying to configure in a unique way, I want it to perform a variety of tasks;
Firewall Inside to Outside via versa
But the difficult task, is creating a DMZ with devices that are assigned fully routed IP addresses from our ISP directly, these are H323 and SIP devices that cannot use NAT, and must have a fully routed IP address assigned to them.
Obviously the problem I have with the Firewall in its default routed mode, is that it wont allow me to overlap IP addresses on the outside interface with the DMZ interface.
Could the Firewall be configured for Transparent mode between Outside and DMZ, but Routed mode between Outside and Inside?
Eth0/0: 10.0.0./24 (inside)
Eth0/1: 184.108.40.206/24 (dmz)
Eth0/2: 220.127.116.11/24 (outside)
Or can anyone else think of a way around this? I understand this is possible with 2 Firewalls;
ISP Router ---> [Firewall 1 in Transparent Mode] ---> Effective DMZ ---> [Firewall 2 in Routed Mode] ---> LAN
But could the new Cisco ASA with the latest firmware and model be ale to do this with 1 physical firewall?
AFAIK No you can not make vpn, transparent and routing in the same unit.
I would not want the DMZ and the outside interface to have overlapping ip address ranges.
logging and trying to keep track of it all would be way to confusing for me.
so what I would do is to split the external network into two network units (/25) and move all the units that can be moved to a dmz with rfc1918 addresses.
The units that can not be moved from the external network would have to stay put "for now" in another dmz with the 190 addresses /25
This would need the isp to change their routing table in the edge equipment, the lower (or upper) part of 190.X.X.X/25 would be the dmz and needs to be routed to the firewall ip address.
Then as time passes by the DMZ will be depopulated when equipment is moved out and replaced and in the end you will have the isp to merge the two 190.x.x.x/25 address ranges to one /24 and you will be back to todays setup but with all the servers in a rfc1918 network.
Do not use NAT, use PAT instead when it comes to the ip addresses translated from the internet side. it makes for a much more secure network and you do not need as much ip addresses (in a normal case)
With NAT you are translating the whole ip address but with PAT you translate the port so you can have ip X port 25 go to ip Y and port 25 and then you can have ip X port 80 go to ip Z port 80 or maybe 8080 or what ever port you want.
Option 1 would work but I would not go with option 2.
Well first of all single point of faliure, you are adding more units in a chain and if any unit in the chain breaks you will have an outage. The less units in chain you have the better it is from a operational standpoint.
Also you will have a harder time to manage both firewalls to get traffic through to the correct places and stop the rest.
two firewalls in a row was a thing one used several years ago but was abandoned (at most) due to the heavy workload to maintain the configurations and day to day operations.
Many times one can se a third option. (like in this case)
ie parallell firewalls.
You can have one firewall in this case the transparent one deal with traffic for the units on the outside ie what you call the DMZ and then setup a firewall to handle the DMZ with rfc1918 addresses and other parts such as vpn and Lan.
All you need to do is setup a switch infront of the firewalls and set them parallell
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...