Currently I have a single Cat5 feed from my ISP and that includes a single IP range, call it 126.96.36.199/24.
Currently i have a crappy watchguard sitting on 188.8.131.52 in transparent/drop in mode and all servers are using the 1.1.1.x range.
Now i want to replace the aging watchguard with a new ASA 5510 that i have, however i have stumbled into a few problems.
I dont want to use the cisco transparent mode. Firstly this only allows you to protect a single IP range and secondly VPN functionality is lacking. In the future I will need to take advantage of multiple IP ranges and several interfaces.
So what is the solution? What is the reccomended setup for those that want their servers to sit on a public IP range?
It has been suggested to me that i get my ISP to route my 184.108.40.206/24 through a smaller subnet like 220.127.116.11/30 which my firewall outside interface will sit on.
It has also been suggested to my that i put 18.104.22.168/24 on my outside interface and something like 192.168.0.1/24 on the inside and then put in nat exemption rules for all the hosts that you dont want to use NAT for.
I also want to move to a HA setup in the future so i want a solution that is going to enable me to grow and expand this setup without rengineering the network every time.
If the servers are accessible on their public IP addresses then the easiest thing to do is
1) create a DMZ for the servers. You don't have to, you can put the servers on the inside but if they are accessible from outside it is recommended to use a DMZ.
2) Allocate private addressing to the servers and then setup static NAT translations eg
static (DMZ,outside) 22.214.171.124 192.168.5.5
static (DMZ,outside) 126.96.36.199 192.168.5.6
This would obviously mean readdressing your servers and although the vast majority of applications will work with NAT some won't.
If you don't want to NAT but still want to protect the servers with your ASA firewall then you will need a separate subnet for the connection between your outside interface and the ISP router.
You would then create a DMZ using the public IP addressing you already have.
Which is more flexible. Well, assuming your public addressing is your ISP's, using private addressing on your servers means if you change your ISP in future you do not have to readdress your servers, you just change the NAT statements on your firewall and update public DNS.
1) When you say create a DMZ, what do you mean? I always considered a DMZ to simply be another network segment which is separated from your trusted network for enhanced security? According to all CISCO DMZ examples i have seen all servers still sit on a private IP range and their public IP's are nat'ed. Right now my management network is on a seperate network switch so essentially i only have one network behind my ASA and so a DMZ is irrelevent right?
2) Readdressing is going to be extremely difficult to do so I want to stay away from that if I can.
I suspect the easiest way to achieve what I want to do is to get a seperate subnet for my firewall from my ISP, like 188.8.131.52/30. The only question i have though is can my 184.108.40.206 still route outwards WITHOUT translating to 220.127.116.11? I simply want to use the small 18.104.22.168/30 subnet as a kinda gateway subnet to my main IP range.
1) Yes a DMZ is another network segment that is connected to a different interface on your firewall than the inside interface. if you don't have any other servers on the inside other than the ones that you are giving outside access to then yes you could argue a DMZ is not relevant but if there are other servers that do not require outside access you should keep them separate.
2) Yes you can still route outwards. You need to
i) Make sure the ISP has a route on their router pointing to your 1.1.1.x network via the outside interface of your pix 2.2.2.x
ii) You can either do no NAT ot just setup static nat translations eg
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :