12-13-2011 05:42 PM - edited 03-04-2019 02:37 PM
Deploying a network with ASA having 2 Public Ranges and 1 Private Range.
The Public range is xx.xx.xx.ab\29
& xx.xx.xx.cd\28
On ASA interface 0/0 i have assigned IP \29
& on the inside interface I have assigned 192.168.209.4\24
Now would i be able to use xx.xx.xx.cd\28 on the ASA to NAT the specific inside 192.168.209.4 addresses. I want to set up 1 to 1 NAT for my servers inside.
Would i be able to do that.
12-13-2011 05:55 PM
You can deploy one-to-one mapping.
Have a look at this link for example:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#difference
HTH
12-13-2011 06:15 PM
Thanks for the quick reply Reza but here is the scenerio
On ASA interface 0/0 i have assigned IP \29
& on the inside interface I have assigned 192.168.209.4\24. Now can i use xx.xx.xx.cd\28 on the ASA to NAT the specific inside 192.168.209.4 addresses. The xx.xx.xx.cd\28 isnt assigned on any interface of ASA, would i still be able to use it ?
12-13-2011 06:45 PM
Hello Imranraheel,
Yes, the setup will work(in fact you can use the network ip address for the range you bought if you need it) as soon as you add the public IP address to the nat statement ( Even though its on a separate subnet than the ASA outside interface) the ASA will start proxy-arping that particular public IP address, so any user on the outside that hit that specific ip addresss will go to the to your servers on the inside based on its nat rules.
Regards,
Please rate helpful posts.
Julio
12-13-2011 07:41 PM
If your both Public IP range /29 and /28 is belongs to same ISP and same link where ISP have done routing on thier PE router to reach /28 via /29 (Normally u no need to worry about this as it will be done by ISP), then it is possible. I have deployed same kind of your scenario on more than 50 sites (using ASA or Cisco router or Other vendor device).
12-22-2011 09:47 AM
So i can use internal private IP on the internal Interface of the ASA & can use public on any server placed inside ?
12-22-2011 10:13 AM
Hello,
So i can use internal private IP on the internal Interface of the ASA & can use public on any server placed inside ?
You can use public ip addresses on the inside interface as long as that interface is also on the same public subnet or there is another hop connecting to that network on the inside( ASA will need a route).
Do rate helpful posts,
Regards,
Julio
12-22-2011 06:36 PM
Hi imranraheel,
Yes exactly.. Jus use Static NAT in ASA, and Use /28 Public IP to map to your Server LAN IP. It will work indeed.
* Note : you dont need to assign /28 Public directly to ASA inside interface to get this work. If you do assign , All the host(LAN PC and servers) connected to the ASA inside interface must configured Public IP on thier NIC card, which I think not recommanded(not enough Public IP), cause you may have hundreds of host on your LAN. So the best way is to assign ALL LAN host private IP and do Static NAT for Server in ASA.
Another solution is use DMZ. If your using ASA 5510, it comes with 4 ethernet port, u can specify as below.
eth0 : WAN port (outside)
eth1 : LAN port (inside)
eth2 : DMZ (connected to servers)
eth3 : U may use for other purpose
Put all your server in DMZ zone. Assign one of /28 Public IP in your DMZ interface. All your server connected to DMZ interface can now assign /28 Public IP directly to thier NIC. One drawback here is , previously, your LAN PC accessing srvers via private IP, now they must use Public IP to access the servers which need modification on the user end.
Its your game to choose which solution you prefer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide