Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

DMZ ASA5510

Hello,

I've just received my CISCO ASA5510 in order to replace My SonicWall Pro 100 but i've one Problem, i explain :

Actually ,the network has a LAN, a WAN and a DMZ.We 've got a 6 public IP block ( xx.xx.xx.xx / 29 ).
I have two servers in the dmz using 2 public IP's.The DMZ and the WAN shared the same Subnet. ( DMZ has no NAT enabled)

With the Cisco,we can't assign Ip with the same subnet on 2 Interfaces.(network Overlapping)
I've read that one solution is to split my subnet in half. So I use a subnet xx.xx.xx.xx / 30.
As a Result,my available Public IPs is reduced to 4.
2 are use by WAN interface and DMZ interface. 1 is use by the Router.In this case,one server in the DMZ has no more IP available.

Is there any other solutions ?
Thanks

10 REPLIES
Cisco Employee

Re: DMZ ASA5510

Hey,

I am not sure if this will work for you but one way i can think of implementing this will be to use multiple contexts.

1) In one context, assign the inside and outside interfaces and use ASA in routed mode

2) On the other context, you can use the DMZ and outside interface with ASA in "transparent" mode.

Again, this will require a complete redesign of your network in a way and may involve quite some deliberation on how it can be implemented if it will work for you but we can always give this a thought and see if we can get this working.

Thanks and Regards,

Prapanch

New Member

Re: DMZ ASA5510

Thanks you for your reply.

I've read that we can't run the firewall with 2 Contexts in which : The First one is in Routed Mode , the other in Transparent Mode.

True ?

Thanks.

Cisco Employee

Re: DMZ ASA5510

Hi,

To the best of my knowledge you can run it that way. Where did you read that it can not be? Please share the link.

Thanks and Regards,

Prapanch

New Member

Re: DMZ ASA5510

Maybe i'am Wrong,

I read it in the CLI Guide , Page 54

Setting Transparent or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall
mode.
For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode
in the system execution space.

Cisco Employee

Re: DMZ ASA5510

Hi,

Yes that indeed is the case. Sorry about that. Got confused between FWSM and ASAs. FWSM does allow you to configure mode of every context which is not possible on the ASA.

Now, for your original requirement, we can still achieve what you need using "static" commands.

Assuming your server public IP addresses are 1.1.1.10 and 1.1.1.11. On the DMZ, we will have to create a new address space for the servers because we can not have two interfaces on the ASA on the same subnet. So, let's assume you assign the DMZ interface an IP of 10.1.1.1 and the servers IP addresses of 10.1.1.10 and 10.1.1.11.

So for outside users when trying to access these servers, we can create "static" of the form below:


static (DMZ,outside) 1.1.1.10 10.1.1.10

static (DMZ,outside) 1.1.1.11 10.1.1.11

Simlarly, when your inside isers try to access the server using the public IP addresses, we can use the following statics to allow that:

static (DMZ,inside) 1.1.1.10 10.1.1.10

static  (DMZ,inside) 1.1.1.11 10.1.1.11

This should ensure the transparency to users without them having to change any setting for the servers. Let me know if this is clear!!

Thanks and Regards,

Prapanch

New Member

Re: DMZ ASA5510

Hi,


I am ok with the static commands but i don't understand the IP adress Configuration.
I must create new adress space on the firewall but what subnet should I use on the DMZ interface and public Servers.I use Private IP or Public ? and what about reverse command for (Outside,DMZ) ?

Thanks.

Cisco Employee

Re: DMZ ASA5510

Hi,

So you will need to use a Private address space for the DMZ subnet. The public IP addresses you have in mind for the servers (the ones the outside and inside users will access the servers using) will be specified in the "static" commands.

In the commands i have suggested, 10.1.1.x is the private address space fopr the DMZ subnet and 1.1.1.x is the public IP addresses for the server which they will be accessed using.

You do not need any static for (outside,DMZ).

Hope this clears things out!!

Thanks and Regards,

Prapanch

New Member

Re: DMZ ASA5510

Ok understand.

Thank You. I will try this Solution.

Cisco Employee

Re: DMZ ASA5510

Sure. Do let me know how it goes!!

Cheers,

Prapanch

New Member

Re: DMZ ASA5510

Hi,

I try the solution in an environnement production and there is something wrong.

No communication with the Outside from the Lan and From the DMZ.I couldn't joined my router.Maybe is it Static Route to add ?

I resume:

LAN interface: 192.168.1.254/24 ( with Dynamic NAT to use WAN interface to go on the internet) )

DMZ interface : 10.1.1.1 ( with Static NAT as you said )

WAN interface : 194.x.x.x / 29

Router : 194.x.x.y /29

The two are directly linked

Access Lists from LAN and DMZ allow to joined the Outside.

Thanks.

863
Views
0
Helpful
10
Replies
CreatePlease to create content