Just got a request to have about 20 public ips be directly assigned to internal devices (virtual firewalls in ESX). I proposed putting the devices WAN interface in the DMZ, adding acl entries to allow all over that ip range and then do a 1 to 1 nat and a global so that the traffic goes back out correctly. This solution, though agreed it might work for what they need, doesn't meet all of their requirements as they don't want to have to contact someone each time they spin up a new firewall and use a dmz address, but they want to be able to tell when a new firewall is spun up (self-provisioning facing end users so they won't necessarily be the ones spinning them up). Handoff from the ISP goes into ASR and from ASR directly into ASA so can't just put a leg of the ESX server in the same external vlan as ASA since none exists at the moment. Is there a practical solution to this that meets their needs?
I am not sure if I understood the setup completely.
I assume that you want to have some public subnet behind the ASA itself directly on the hosts. In that case it would depend on your current setup.
Do you have a free public subnet that could be first routed from the ASR towards the ASA and then configured directly on some ASA DMZ interface just for this public subnet?
Or could you possibly split up an existing public subnet so you could route part of it towards ASA and in the same way as above configure the subnet directly on some ASA DMZ interface (or perhaps route further in the local network?
If you had the public subnet behind the ASA you could configure NAT0 (or perhaps Identity NAT) for it so it can pass through the ASA without being translated. Naturally if you are creating a new ASA interface for this subnet you might be fine just leaving the interface without any NAT configurations. The setup naturally depends on the ASA software you are running as that affects the NAT behaviour.
Sorry, didn't specify all the details. ASA is running 8.2(5). Currently have a /24 configured on my outside interface of the ASA and using that to nat my inside hosts. Currently using about 50 addresses behind a few sub-interfaces that are nat'ed which is working. The server teams wants to use a subset of that original /24 for this deployment.
If I need to make it more clear please let me know. I can try to post up a sanitized config it if helps.
I would imagine that there is atleast a couple of options.
You might be able to either split the existing /24 subnet so you can have a smaller subnet behind the ASA on the actual devices.
You might also be able to simply configure the upstream router with a static route for the subnet of the subnet /24. I guess you would have to route a free /27 subnet of the /24 subnet towards the ASA external interface so that the upstream router would route traffic towards these hosts to the ASA rather than try to ARP for the MAC address. (As currently the router sees the network as directly connected)
Not sure I entirely understand what you mean in option 2 above. My ASR is 126.96.36.199 which is directly connected to my ASA on the outside interface with a 188.8.131.52 address. Are you saying to add a static route on the ASR to say 184.108.40.206 /27 pointing to the ASA.
I was thinking of doing something like this for my initial solution (nat to dmz, assign global as well if needed):
ip address 220.127.116.11 255.255.255.0
int Gi 0/3.100
ip address 10.10.10.1 255.255.255.0
access-list outside_access_in extended permit ip any host 18.104.22.168
access-list outside_access_in extended permit ip any host 22.214.171.124
access-list outside_access_in extended permit ip any host 126.96.36.199
static (dmz,outside) 188.8.131.52 10.10.10.10 netmask 255.255.255.255
static (dmz,outside) 184.108.40.206 10.10.10.11 netmask 255.255.255.255
static (dmz,outside) 220.127.116.11 10.10.10.12 netmask 255.255.255.255
nat (dmz) 2 10.10.10.10
nat (dmz) 3 10.10.10.11
nat (dmz) 4 10.10.10.12
global (outside) 1 interface
global (dmz) 2 18.104.22.168
global (dmz) 3 22.214.171.124
global (dmz) 4 126.96.36.199
Actually, I might have mistaken.
You might have to split the current /24 network between the ASA and the ASR to something smaller and routing the rest of the subnets (split from the /24) towards the ASA external interface.
You would essentially have to split the /24 subnet connected to the ASA because for you to be able to use some part of that subnet directly on another ASA interface, it cant overlap with an existing interfaces subnet.
I got the picture from your original post that you would specifically want to configure these public IP addresses directly on the hosts behind the ASA? In that case I dont see the above NAT configurations needed.
If you were to do the split of the /24 you could for example do this
ip address 188.8.131.52 255.255.255.128
ip route 184.108.40.206 255.255.255.128 220.127.116.11
ip address 18.104.22.168 255.255.255.128
ip address 22.214.171.124 255.255.255.224
The above change to the setup would do the following things
Naturally the above would mean a change to your external interface and ASR configurations so its likely something that would need to be done during some maintanance break.
Thanks. I actually did want to configure the public ips directly on hosts behind the ASA.
I just gave the config as an example of what I intended to do w/ nat if I can get the server team to agree to using the DMZ interface ranges as the public ips on the devices.
I'm trying to avoid splitting the subnet if possible as I'd like to minimize the impact and avoid the required outage it would incur.
Typically about 80-90% of the time our users are fine with doing a 1:1 Static NAT for any devices/servers/hosts on their LAN network. Every now and then the requirement is that the internal device has to have a public IP address directly. (Not that I am sure if this is really the case)
In those cases typically the user is assigned a small public subnet which is routed from our core network towards the customer firewall and from there further to the actual internal customer router where its used directly on the customer devices. In some cases the subnet might be routed towards our datacenter if the devices are placed there.
Though if the requirement is to have the public IP addresses directly on the hosts/servers then I would personally prefer either getting a new small public subnet for the purpose or split the current one used which would mean short downtime.
In your NAT configurations I am not sure what the purpose of the Dynamic PAT towards the DMZ itself is?