I just purchased a new ASA5510 to replace our old firewall. With help from experts in the forum, the device is configured to have an inside, outside and dmz interfaces. Now here's my question, how should/do i subnet my IP block?
My ISP has given me a block of IPs x.x.x.32/27. In my current setup the ISP gateway is x.x.x.33/27, my old firewall gateway is on x.x.x.34/27, two VPN gateways on x.x.x.37 and x.x.x.40/27. My three gateways are running parallel. I have 2 machines setup with one to one nat to provide web services on x.x.x.35/27 and x.x.x.36/27. I have a DMZ setup with x.x.x.55/27 to x.x.x.62/27.
I was thinking having the first x.x.x.32/29 block for the devices running parallel to the new firewall. The second x.x.x.40/29 block for my outside interface (and one to one NATs) and the last block of x.x.x.48/28 for my DMZ interface. Does this sound ok?
If I proceed with the config, what IPs would I assign to the devices running in parallel? For example, if i choose to give the x.x.x.35 ip to my VPN gateway, would I assign it x.x.x.35/27 or x.x.x.35/29 IP?
1) Your addressing scheme is fine. Bear in mind that you could just use a private IP address range for your DMZ and just setup static translations using some of your public IP addresses.
There is nothing wrong with breaking up your /27 subnet into 3 x /29 but you keep losing addresses this way as the network and broadcast addresses are not useable. But if you have enough public addresses then fine.
2) You will need to use the /29 subnet mask otherwise the route lookups could go wrong.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...