Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pass Public IPs through ASA 5520

Just got a request to have about 20 public ips be directly assigned to internal devices (virtual firewalls in ESX).  I proposed putting the devices WAN interface in the DMZ, adding acl entries to allow all over that ip range and then do a 1 to 1 nat and a global so that the traffic goes back out correctly.  This solution, though agreed it might work for what they need, doesn't meet all of their requirements as they don't want to have to contact someone each time they spin up a new firewall and use a dmz address, but they want to be able to tell when a new firewall is spun up (self-provisioning facing end users so they won't necessarily be the ones spinning them up).  Handoff from the ISP goes into ASR and from ASR directly into ASA so can't just put a leg of the ESX server in the same external vlan as ASA since none exists at the moment.  Is there a practical solution to this that meets their needs?

7 REPLIES
Super Bronze

Re: Pass Public IPs through ASA 5520

Hi,

I am not sure if I understood the setup completely.

I assume that you want to have some public subnet behind the ASA itself directly on the hosts. In that case it would depend on your current setup.

Do you have a free public subnet that could be first routed from the ASR towards the ASA and then configured directly on some ASA DMZ interface just for this public subnet?

Or could you possibly split up an existing public subnet so you could route part of it towards ASA and in the same way as above configure the subnet directly on some ASA DMZ interface (or perhaps route further in the local network?

If you had the public subnet behind the ASA you could configure NAT0 (or perhaps Identity NAT) for it so it can pass through the ASA without being translated. Naturally if you are creating a new ASA interface for this subnet you might be fine just leaving the interface without any NAT configurations. The setup naturally depends on the ASA software you are running as that affects the NAT behaviour.

- Jouni

New Member

Re: Pass Public IPs through ASA 5520

Sorry, didn't specify all the details.  ASA is running 8.2(5).  Currently have a /24 configured on my outside interface of the ASA and using that to nat my inside hosts.  Currently using about 50 addresses behind a few sub-interfaces that are nat'ed which is working.  The server teams wants to use a subset of that original /24 for this deployment. 

If I need to make it more clear please let me know.  I can try to post up a sanitized config it if helps.

Super Bronze

Pass Public IPs through ASA 5520

Hi,

I would imagine that there is atleast a couple of options.

You might be able to either split the existing /24 subnet so you can have a smaller subnet behind the ASA on the actual devices.

You might also be able to simply configure the upstream router with a static route for the subnet of the subnet /24. I guess you would have to route a free /27 subnet of the /24 subnet towards the ASA external interface so that the upstream router would route traffic towards these hosts to the ASA rather than try to ARP for the MAC address. (As currently the router sees the network as directly connected)

- Jouni

New Member

Pass Public IPs through ASA 5520

Not sure I entirely understand what you mean in option 2 above.  My ASR is 1.1.1.1 which is directly connected to my ASA on the outside interface with a 1.1.1.2 address.  Are you saying to add a static route on the ASR to say 1.1.1.224 /27 pointing to the ASA.

I was thinking of doing something like this for my initial solution (nat to dmz, assign global as well if needed):

interface GigabitEthernet0/0

description Outside

nameif outside

ip address 1.1.1.2 255.255.255.0

int Gi 0/3.100

description DMZ

nameif dmz

ip address 10.10.10.1 255.255.255.0

access-list outside_access_in extended permit ip any host 1.1.1.10

access-list outside_access_in extended permit ip any host 1.1.1.11

access-list outside_access_in extended permit ip any host 1.1.1.12

static (dmz,outside) 1.1.1.10 10.10.10.10 netmask 255.255.255.255

static (dmz,outside) 1.1.1.11 10.10.10.11 netmask 255.255.255.255

static (dmz,outside) 1.1.1.12 10.10.10.12 netmask 255.255.255.255

nat (dmz) 2 10.10.10.10

nat (dmz) 3 10.10.10.11

nat (dmz) 4 10.10.10.12

global (outside) 1 interface

global (dmz) 2 1.1.1.10

global (dmz) 3 1.1.1.11

global (dmz) 4 1.1.1.12

Super Bronze

Pass Public IPs through ASA 5520

Hi,

Actually, I might have mistaken.

You might have to split the current /24 network between the ASA and the ASR to something smaller and routing the rest of the subnets (split from the /24) towards the ASA external interface.

You would essentially have to split the /24 subnet connected to the ASA because for you to be able to use some part of that subnet directly on another ASA interface, it cant overlap with an existing interfaces subnet.

I got the picture from your original post that you would specifically want to configure these public IP addresses directly on the hosts behind the ASA? In that case I dont see the above NAT configurations needed.

If you were to do the split of the /24 you could for example do this

ASR

interface GigabitEthernet0/0/0

description ASA

ip address 1.1.1.1 255.255.255.128

ip route 1.1.1.128 255.255.255.128 1.1.1.2

ASA

interface GigabitEthernet0/0

description WAN

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.128

interface GigabitEthernet0/3.300

description ESX

nameif esx

security-level 10

ip address 1.1.1.129 255.255.255.224

The above change to the setup would do the following things

  • Split the /24 to /25 subnets
    • One connected between the ASR and ASA
    • One routed towards the ASA to be used as you want
  • The directly connected /25 subnet on the ASA interface could be used for the typical Dynamic PAT and Static NAT configurations for the users with a private IP address.
  • The /25 subnet routed towards the ASA could be used as you wished. You could split it into smaller parts and configure it directly to some ASA interface or route it further into your internal network where the hosts that need the public IP addresses directly are located
  • You would also be able to use the routed /25 block as NAT/PAT IP address on the firewall just like the directly connected /25.

Naturally the above would mean a change to your external interface and ASR configurations so its likely something that would need to be done during some maintanance break.

- Jouni

New Member

Pass Public IPs through ASA 5520

Thanks.  I actually did want to configure the public ips directly on hosts behind the ASA. 

I just gave the config as an example of what I intended to do w/ nat if I can get the server team to agree to using the DMZ interface ranges as the public ips on the devices.

I'm trying to avoid splitting the subnet if possible as I'd like to minimize the impact and avoid the required outage it would incur. 

Super Bronze

Pass Public IPs through ASA 5520

Hi,

Typically about 80-90% of the time our users are fine with doing a 1:1 Static NAT for any devices/servers/hosts on their LAN network. Every now and then the requirement is that the internal device has to have a public IP address directly. (Not that I am sure if this is really the case)

In those cases typically the user is assigned a small public subnet which is routed from our core network towards the customer firewall and from there further to the actual internal customer router where its used directly on the customer devices. In some cases the subnet might be routed towards our datacenter if the devices are placed there.

Though if the requirement is to have the public IP addresses directly on the hosts/servers then I would personally prefer either getting a new small public subnet for the purpose or split the current one used which would mean short downtime.

In your NAT configurations I am not sure what the purpose of the Dynamic PAT towards the DMZ itself is?

- Jouni

255
Views
0
Helpful
7
Replies