Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

ASA routing

Deploying a network with ASA having 2 Public Ranges and 1 Private Range.

The Public range is xx.xx.xx.ab\29

& xx.xx.xx.cd\28

On ASA interface 0/0 i have assigned IP \29

& on the inside interface I have assigned 192.168.209.4\24

Now would i be able to use xx.xx.xx.cd\28 on the ASA to NAT the specific inside 192.168.209.4 addresses. I want to set up 1 to 1 NAT for my servers inside.

Would i be able to do that.

7 REPLIES
VIP Super Bronze

ASA routing

You can deploy one-to-one mapping.

Have a look at this link for example:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#difference

HTH

New Member

ASA routing

Thanks for the quick reply Reza but here is the scenerio

On ASA interface 0/0 i have assigned IP \29

& on the inside interface I have assigned 192.168.209.4\24. Now can i use xx.xx.xx.cd\28 on the ASA to NAT the specific inside 192.168.209.4 addresses. The xx.xx.xx.cd\28 isnt assigned on any interface of ASA, would i still be able to use it ?

ASA routing

Hello Imranraheel,

Yes, the setup will work(in fact you can use the network ip address for the range you bought if you need it) as soon as you add the public IP address to the nat statement  ( Even though its on a separate subnet than the ASA outside interface) the ASA will start proxy-arping that particular public IP address, so any user on the outside that hit that specific ip addresss will go to the  to your servers on the inside based on its nat rules.

Regards,

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA routing

If your both Public IP range /29 and /28 is belongs to same ISP and same link where ISP have done routing on thier PE router to reach  /28 via /29 (Normally u no need to worry about this as it will be done by ISP), then it is possible. I have deployed same kind of your scenario on more than 50 sites (using ASA or Cisco router or Other vendor device).

Regards, Nagis
New Member

ASA routing

So i can use internal private IP on the internal Interface of the ASA & can use public on any server placed inside ?

ASA routing

Hello,

So i can use internal private IP on the internal Interface of the ASA & can use public on any server placed inside ?

You can use public ip addresses on the inside interface as long as that interface is also on the same public subnet or there is another hop connecting to that network on the inside( ASA will need a route).

Do rate helpful posts,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA routing

Hi imranraheel,

Yes exactly.. Jus use Static NAT in ASA, and Use /28 Public IP to map to your Server LAN IP. It will work indeed.

* Note  : you dont need to assign /28 Public directly to ASA inside interface to get this work. If you do assign , All the host(LAN PC and servers) connected to the ASA inside interface must configured Public IP on thier NIC card, which I think not recommanded(not enough Public IP), cause you may  have hundreds of host on your LAN. So the best way is to assign ALL LAN host private IP and do Static NAT for Server in ASA.

Another solution is use DMZ. If your using ASA 5510, it comes with 4 ethernet port, u can specify as below.

eth0 : WAN port (outside)

eth1 : LAN port (inside)

eth2 : DMZ (connected to servers)

eth3 : U may use for other purpose

Put all your server in DMZ zone. Assign one of /28 Public IP in your DMZ interface. All your server connected to DMZ interface can now assign /28 Public IP directly to thier NIC. One drawback here is , previously, your LAN PC accessing srvers via private IP, now they must use Public IP to access the servers which need modification on the user end.

Its your game to choose which solution you prefer.

Regards, Nagis
445
Views
0
Helpful
7
Replies
CreatePlease to create content