Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
10
Replies

PC with Public IP and not NATTED

Go to solution
joe.marcelo9
Level 1
Level 1

‎10-22-2009 11:04 AM - edited ‎03-04-2019 06:28 AM

Hi All, My Internet Connection is terminated on Router,passess the firewall and then LAN.

(ISP)''''''''Router''''''ASA'''''LAN

I have been told to connect Two PC with Public IP and it should be not part of LAN and not NATTED.

Can this be doable.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to joe.marcelo9

‎10-22-2009 12:35 PM

Joe

Okay then you are pretty much good to go.

Lets assume that you get the range 195.17.17.0/29.

assign 195.17.17.1 to the ASA interface.

assign 195.17.17.2 to PC1

assign 195.17.17.3 to PC3

to not NAT

access-list NONAT permit ip host 195.17.17.1 host 212.10.10.1

access-list NONAT permit ip host 195.17.17.2 host 212.10.10.1

nat (DMZ1) 0 access-list NONAT

** Couple of things to note about the above -

i) DMZ1 is the name of dmz interface created on the ASA. You can use any name you want

ii) 212.10.10.1 is the IP address of the server in the US that the PCs are connecting to

Make sure that the security level is less than the outside interface and traffic will be allowed by default to go out to the Internet.

Finally if you want to allow connections to be initiated from the US server to the PCs all the above is still relevant but you will also need to add entries to the acl on your outside interface.

Jon

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎10-22-2009 11:15 AM

Joe,

Yes, If you want to test something,you can use a PC configured with the Public IP address. Don't forget to configure the default gateway. However,it's a good idea to provide us more information about your requirement. What kind of internet media did ISP provide you?

Toshi

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-22-2009 11:19 AM

Joe

Bit more information is needed.

The public IPs, are they part of an existing range that is already in use on the router/firewall or are these separate addresses.

Could you provide some more details on the IP addressing.

Also, do you have spare interfaces on your ASA ? What model is it ?

I'm assuming that these PCs need protecting by the firewall ?

Jon

0 Helpful

Go to solution
joe.marcelo9
Level 1
Level 1
In response to Jon Marshall

‎10-22-2009 11:28 AM

Hi Jon, I needed help on two different requirement. One this topic and another posted on Security section.

This is for Office2.

ISP give us /29 and we use one IP on Firewall and another for SMTP.

ISP is in same building so they drop Ethernet cable to the office.

When asked the department who requested to plug two PC with Public IP about security, they replied with a smile that the PC has software based firewall.

I would also be eager to understand if I have spare interface on firewall can I pass traffic without natting.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to joe.marcelo9

‎10-22-2009 11:39 AM

Joe

"I would also be eager to understand if I have spare interface on firewall can I pass traffic without natting."

Yes you can.

However if the /29 is already partly being used then you have a problem with putting the PCs on their own DMZ. You don't have enough addressing because the only thing down from a /29 is a /30 and this only gives you 2 addresses and you would need at least 3, one for the ASA dmz interface and 2 for the PCs.

So the only place you can place them if they have to have public IPs is between the firewall and the router and obviously then the firewall can't protect the PCs. You could use an acl on the router to give a form of rudimentary filtering but it is basic.

Why do they need public IPs, are connections being initiated to the PCs. Do these 2 PCs need to communicate with devices in your LAN.

Jon

0 Helpful

Go to solution
joe.marcelo9
Level 1
Level 1
In response to Jon Marshall

‎10-22-2009 11:53 AM

Jon,

Unfortunately its partly used.

If I manage to get another /29 range from ISP, how to configure it.

PC dont need any connection with LAN.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to joe.marcelo9

‎10-22-2009 11:58 AM

Joe

If you can get another /29 then assuming you have a spare interface relatively straightforward.

Are you comfortable configuring the ASA interfaces ?

Also for the type of NAT to use i still need to understand whether connections will only be initiated from the PCs or can connections be initiated from the Internet to these PCs ?

One last question - if you place the PCs into a DMZ physically within the building where will they be ie. if you put them in a DMZ they need L2 adjacency with the ASA firewall - how easy will this be from a purely logistical point of view ?

Jon

0 Helpful

Go to solution
joe.marcelo9
Level 1
Level 1
In response to Jon Marshall

‎10-22-2009 12:14 PM

I have one interface free on ASA

Not sure if connection needs to be initiated from outside, lets assume if needed.

Configuring the Interface, if you mean IP address then I m ok.

Request mentioned that the IP should not be NATTED.

PCs will be connected next to ASA Cabinet.

Maybe this info is helpful.

Pcs are running windows 2003 Server with harden OS.

Once the internet connection is provided to these PCs they will talk to another server in US running checkpoint firewall and custom application.

These PCs will have a printer connected directly to get printouts.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to joe.marcelo9

‎10-22-2009 12:35 PM

Joe

Okay then you are pretty much good to go.

Lets assume that you get the range 195.17.17.0/29.

assign 195.17.17.1 to the ASA interface.

assign 195.17.17.2 to PC1

assign 195.17.17.3 to PC3

to not NAT

access-list NONAT permit ip host 195.17.17.1 host 212.10.10.1

access-list NONAT permit ip host 195.17.17.2 host 212.10.10.1

nat (DMZ1) 0 access-list NONAT

** Couple of things to note about the above -

i) DMZ1 is the name of dmz interface created on the ASA. You can use any name you want

ii) 212.10.10.1 is the IP address of the server in the US that the PCs are connecting to

Make sure that the security level is less than the outside interface and traffic will be allowed by default to go out to the Internet.

Finally if you want to allow connections to be initiated from the US server to the PCs all the above is still relevant but you will also need to add entries to the acl on your outside interface.

Jon

0 Helpful

Go to solution
joe.marcelo9
Level 1
Level 1
In response to Jon Marshall

‎10-22-2009 12:44 PM

This is very very clear.

I will test once I get IP

Thanks so much Jon.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to joe.marcelo9

‎10-22-2009 12:46 PM

No problem, glad to have helped.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card