Jouni,

Thanks for the quick reply.  The reason I'm doing this is for Lync 2013.  I'm using a hardware load balancer.  The Lync 2013 documenation states:

Following are the hardware load balancer requirements for Edge Servers running the A/V Edge service:

• Turn off TCP nagling for both internal and external ports 443. Nagling is the process of combining several small packets into a single, larger packet for more efficient transmission.
  
• Turn off TCP nagling for external port range 50,000 – 59,999.
  
• Do not use NAT on the internal or external firewall.
  
• The edge internal interface must be on a different network than the Edge Server external interface and routing between them must be disabled.
  
• The external interface of the Edge Server running the A/V Edge Service must use publically routable IP addresses and no NAT or port translation on any of the edge external IP addresses.
  

I'm fairly confident that I did this in the past but using Checkpoint firewalls on Sun Unix systems. 

The Edge server actually has 4 separate NICs.  3 of them connect to the DMZ while the other connects to another network segment that goes into another firewall and into the internal LAN.

I am able to put a route statement on the Windows Server like this:

route add 0.0.0.0 mask 0.0.0.0 10.1.1.1 IF 2

This sends default packets to 10.1.1.1 which is located  on Interface 2 which is one of the interfaces connected to the Cisco ASA.  Before I added this line, I had a general transit failure.  After adding it, the packets were sent to the firewall.

I think something is missing on my firewall.

Or maybe I'm just misunderstanding the Microsoft requirement.

Hi,

In a typical network setup a interface with an IP address with mask /32 doesnt make much sense. I guess the most typical situation when its used on Cisco routers for ID purposes in routing, source address for certain connections outbound from the router or just for testing or monitoring purposes.

So the only way I can imagine at the moment this could be done is to have the 10.1.1.0/24 network between the server and the ASA and the Server had such virtual/logical interface with the single public IP address that it would be able to utilize.

But if I understand you correctly the public IP address that we are talking about is the only public IP address you have. Therefore we would run into situation where I am faily certain that the ASA couldnt handle this situation. I mean the ASA has to have a public IP address on its WAN interface also (which would be the IP address you have) so I am not sure how it would/could forward traffic towards the public IP address anywhere else than itself since it has it on its own interface.

Also considering using the ASA in Transparent mode to my understanding would mean that you would have to have a single public IP address on the ASA BVI interface from the network segment between which the ASA is placed also so that the ASA would be able to forward traffic through.

So I am not sure how this could be achieved with the ASA.

- Jouni

I have been provided several public blocks of IP addresses in different ranges for my Internet connection.  My outside firewall interface has an IP address in one of these blocks.  But the other blocks that I use with this same firewall on the same interface do not have any addresses on the outside firewall interface however they work.  I'm thinking I need to do something with proxy arp.   

In the big picture, I need to do this setup for 9 interfaces for Lync 2013.  Three (3) on an HLB, three (3) on one front-end server, and three (3) on another front-end server.  I think its because of video restrictions and my HLB.  Each front-end server and the HLB have an additional interface that connects to another internal subnet which goes to another firewall (techincally back into the first firewall).  Unfortunately, this is the way Microsoft recommends doing it.  And the only reason I'm trying to do this is because Microsoft says I can't NAT the public addresses to private addresses for these servers when using an HLB.  So either I put the units directly on the Internet, which is a security risk, or I pass the public addresses through the firewall.

Physically, the HLB and two front-end servers sit on the DMZ behind the firewall which again is in the 10.1.1.0/24 network.  If Microsoft didn't have this restriction, I would just add a 10.1.1.x address to each interface, and NAT a pulblic address to the private address. 

So I think the problem is that the public IP address I assigned to all of the interfaces on the HLB and two web-front-ends are not in the 10.1.1.0/24 range like you stated and the DMZ interface needs to use layer 2 and not layer 3 to handle these public addresses when they are internal.

So I tried to fake the whole thing out but again....without success.

I took one of the addresses in the same range (199.198.197.199) and tried to create a proxy arp on the firewall, on the DMZ interface with that IP address and assigned it the MAC address of the DMZ interface and checked the 'Proxy Arp' check box.

I also changed my default route from the DMZ servers to route the packet to this fake address so 0.0.0.0 0.0.0.0 now points to 199.198.197.199. 

I created a NAT rule for a specific address (199.98.97.96) on one of the web-front end servers and tried multiple combinations of turning on and off the Proxy Arp Egress, creating a rule in unidirection and a rule out unidirectional as well as a rule both in and out. 

Still no luck.

Even if I went to my ISP and asked them for 9 usable public addresses and assigned them to a new sub interface inside my firewall, I would think that I would still run into the same or similar issue.

I'm going to keep plugging away to see if I can get it to work...and if I can, I'll let you know.  But I do appreciate your input.  If I finally exhaust my options, I'll have to submit a request to my ISP for these 9 addresses and make the changes as you had suggested in the first post.  I was just trying to avoid that.

Thanks again.

Todd.

No....it didn't.  I'm not sure if this is the best way to do it but:

- I requested a separate block of Public IP addresses from my ISP just for Lync.

- I created a separate virtual subnet off of my firewall using the new Lync public address range.

- I used the first public address as the IP address of the vnic on the firewall.

- I created a Nat rule for the public addresses where the Destination addresses stayed "original" for the rest of the IP addresses provided.

- I created a Security Rule to allow incoming traffic.

This worked for me.

Thanks,

Todd

I appreciate your response. That seems ;like the only way it could be done. Thanks.