I've just received my CISCO ASA5510 in order to replace My SonicWall Pro 100 but i've one Problem, i explain :
Actually ,the network has a LAN, a WAN and a DMZ.We 've got a 6 public IP block ( xx.xx.xx.xx / 29 ).
I have two servers in the dmz using 2 public IP's.The DMZ and the WAN shared the same Subnet. ( DMZ has no NAT enabled)
With the Cisco,we can't assign Ip with the same subnet on 2 Interfaces.(network Overlapping)
I've read that one solution is to split my subnet in half. So I use a subnet xx.xx.xx.xx / 30.
As a Result,my available Public IPs is reduced to 4.
2 are use by WAN interface and DMZ interface. 1 is use by the Router.In this case,one server in the DMZ has no more IP available.
Is there any other solutions ?
I am not sure if this will work for you but one way i can think of implementing this will be to use multiple contexts.
1) In one context, assign the inside and outside interfaces and use ASA in routed mode
2) On the other context, you can use the DMZ and outside interface with ASA in "transparent" mode.
Again, this will require a complete redesign of your network in a way and may involve quite some deliberation on how it can be implemented if it will work for you but we can always give this a thought and see if we can get this working.
Thanks and Regards,
Thanks you for your reply.
I've read that we can't run the firewall with 2 Contexts in which : The First one is in Routed Mode , the other in Transparent Mode.
Maybe i'am Wrong,
I read it in the CLI Guide , Page 54
Setting Transparent or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall
For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode
in the system execution space.
Yes that indeed is the case. Sorry about that. Got confused between FWSM and ASAs. FWSM does allow you to configure mode of every context which is not possible on the ASA.
Now, for your original requirement, we can still achieve what you need using "static" commands.
Assuming your server public IP addresses are 18.104.22.168 and 22.214.171.124. On the DMZ, we will have to create a new address space for the servers because we can not have two interfaces on the ASA on the same subnet. So, let's assume you assign the DMZ interface an IP of 10.1.1.1 and the servers IP addresses of 10.1.1.10 and 10.1.1.11.
So for outside users when trying to access these servers, we can create "static" of the form below:
static (DMZ,outside) 126.96.36.199 10.1.1.10
static (DMZ,outside) 188.8.131.52 10.1.1.11
Simlarly, when your inside isers try to access the server using the public IP addresses, we can use the following statics to allow that:
static (DMZ,inside) 184.108.40.206 10.1.1.10
static (DMZ,inside) 220.127.116.11 10.1.1.11
This should ensure the transparency to users without them having to change any setting for the servers. Let me know if this is clear!!
Thanks and Regards,
I am ok with the static commands but i don't understand the IP adress Configuration.
I must create new adress space on the firewall but what subnet should I use on the DMZ interface and public Servers.I use Private IP or Public ? and what about reverse command for (Outside,DMZ) ?
So you will need to use a Private address space for the DMZ subnet. The public IP addresses you have in mind for the servers (the ones the outside and inside users will access the servers using) will be specified in the "static" commands.
In the commands i have suggested, 10.1.1.x is the private address space fopr the DMZ subnet and 1.1.1.x is the public IP addresses for the server which they will be accessed using.
You do not need any static for (outside,DMZ).
Hope this clears things out!!
Thanks and Regards,
I try the solution in an environnement production and there is something wrong.
No communication with the Outside from the Lan and From the DMZ.I couldn't joined my router.Maybe is it Static Route to add ?
LAN interface: 192.168.1.254/24 ( with Dynamic NAT to use WAN interface to go on the internet) )
DMZ interface : 10.1.1.1 ( with Static NAT as you said )
WAN interface : 194.x.x.x / 29
Router : 194.x.x.y /29
The two are directly linked
Access Lists from LAN and DMZ allow to joined the Outside.