Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA NAT to multiple IPs - Good or bad

Hello Community,

    One of my clients has 254 public address (x.x.1.0/24) which are used for both servers and services but also infrastructure components. These 254 addresses are part of a bigger class B network (x.x.0.0/16) of again, publicly routable IPs. Our 254 IPs are currently NAT'd with a pair of ASA5520s to 2 zones, 1 DMZ, 2 inside. The DMZ contains any server/service which we allow access to from source "any" while inside is used for anything else, servers/infrastructure which is available only within the bigger, Class B network (x.x.0.0/16). The bigger class B network recently deployed a class A private network (10.0.0.0/8) which is routable with the class B network (x.x.0.0/16). As such we have been considering moving all infrastructure components to a private network, but protect it with our current ASA5520s, within a different zone. The one thing which is currently preventing us from executing is some of our devices have a "Call-home" feature we do not want to lose, and we would if we went on the 10.0.0.0/8 network.

The discussion is to answer weather an ASA5520 can conceptually do the following pair of NATs;

Firewall: ASA5520 Sec
Version: 8.2 (5)

Inf-IP 172.1.1.1 (behind ASA firewall)
Outside-IP: 10.1.1.1
Public-IP: x.x.1.1

NAT INF-IP to Outside-IP (When destination is x.x.0.0/16 OR 10.0.0.0/8)
NAT INF-IP to Public-IP (When destination is NOT x.x.0.0/16 OR 10.0.0.0/8

I would also be interested in knowing your opinion on this "solution". Good idea? Bad idea?

Please note, HTTP proxy will not work in this scenario. Please also note, our current version is unsupported - we are currently making plans to have the firewalls replaced.

Mike

 

Everyone's tags (1)
24
Views
0
Helpful
0
Replies
CreatePlease to create content