Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Advice on Hosted ASA Design

Hi All,

First post on the Cisco forums.... so hi to everyone here, looks like a great community!

I would be interested to hear peoples thoughts on a design I am currently working on, essentially we are starting to move a lot of our customers into the datacenter, we are starting small and hope to grow on what we envisage to be a success.

Initially we will deploy an ASA5510 w/ Security Plus, and a Catalyst 2960. I intend to have each customer in their own VLAN in RFC1918 address space, with the ASA providing the gateways for each VLAN, by configuring sub interfaces on the ASA and setting the port on the 2960 as a trunk port.

I will also have a seperate management VLAN to connect all the remote server management cards to, most likely a /28 or /27.

Now my question is the best way to handle the public IP address allocations for our customers. Where I have done similar installations in the past the WAN link of the router would usually be a /30 and we would have a bigger allocation routed to us, and we would then break this down into /30 ourselves and customers would install their own firewall. In this setup we are essentially providing a managed/shared firewall for all as opposed to just routing addresses to customers own firewalls. Would the most appropriate way to handle this be to have our entire public allocation range on the WAN side of the ASA (so say a /26) and just alias and NAT these addresses on the WAN side using the subinterfaces for the customer VLANs? Or is there a better way to approach this? What would be the 'best practice' recommendation?

Really interested to hear peoples views on this scenario, and thanks for any replies in advance.

- Jamie

Hall of Fame Super Silver

Re: Advice on Hosted ASA Design


It makes sense to me to have all the public IPs as part of the subnet of the outside interface and to translateoutgoing traffic from the customer or incoming traffic on the public IP to the appropriate customer addresses.