Thanks for the quick reply Reza but here is the scenerio

On ASA interface 0/0 i have assigned IP \29

& on the inside interface I have assigned 192.168.209.4\24. Now can i use xx.xx.xx.cd\28 on the ASA to NAT the specific inside 192.168.209.4 addresses. The xx.xx.xx.cd\28 isnt assigned on any interface of ASA, would i still be able to use it ?

Hello Imranraheel,

Yes, the setup will work(in fact you can use the network ip address for the range you bought if you need it) as soon as you add the public IP address to the nat statement  ( Even though its on a separate subnet than the ASA outside interface) the ASA will start proxy-arping that particular public IP address, so any user on the outside that hit that specific ip addresss will go to the  to your servers on the inside based on its nat rules.

Regards,

Please rate helpful posts.

Julio

If your both Public IP range /29 and /28 is belongs to same ISP and same link where ISP have done routing on thier PE router to reach  /28 via /29 (Normally u no need to worry about this as it will be done by ISP), then it is possible. I have deployed same kind of your scenario on more than 50 sites (using ASA or Cisco router or Other vendor device).

So i can use internal private IP on the internal Interface of the ASA & can use public on any server placed inside ?

Hello,

So i can use internal private IP on the internal Interface of the ASA & can use public on any server placed inside ?

You can use public ip addresses on the inside interface as long as that interface is also on the same public subnet or there is another hop connecting to that network on the inside( ASA will need a route).

Do rate helpful posts,

Regards,

Julio

Hi imranraheel,

Yes exactly.. Jus use Static NAT in ASA, and Use /28 Public IP to map to your Server LAN IP. It will work indeed.

* Note  : you dont need to assign /28 Public directly to ASA inside interface to get this work. If you do assign , All the host(LAN PC and servers) connected to the ASA inside interface must configured Public IP on thier NIC card, which I think not recommanded(not enough Public IP), cause you may  have hundreds of host on your LAN. So the best way is to assign ALL LAN host private IP and do Static NAT for Server in ASA.

Another solution is use DMZ. If your using ASA 5510, it comes with 4 ethernet port, u can specify as below.

eth0 : WAN port (outside)

eth1 : LAN port (inside)

eth2 : DMZ (connected to servers)

eth3 : U may use for other purpose

Put all your server in DMZ zone. Assign one of /28 Public IP in your DMZ interface. All your server connected to DMZ interface can now assign /28 Public IP directly to thier NIC. One drawback here is , previously, your LAN PC accessing srvers via private IP, now they must use Public IP to access the servers which need modification on the user end.

Its your game to choose which solution you prefer.