topic Re: ASA - overlapping IP ranges on outside and dmz interfaces in Network Security

ASA - overlapping IP ranges on outside and dmz interfaces

a.gesse — Mon, 11 Mar 2019 17:04:01 GMT

Hello,

Cisco ASA question,
if I can carve small range of global IP addresses from big IP range that exists on outside and put this small range to dmz interface?.

The task is to have a few servers assigned global IP but have them behind a firewall so we can control traffic towards them.
Well, apparently it is doable,wondering if there are any drawbacks with that?

10.x.x.x it this test represent globally routable IP addresses from ISP

Three-interface ASA used for testing in the LAB:
Outside:   10.10.104.2 / 22
Dmz:        10.10.107.241 / 28   <- within "outside" ip range
Inside:      1.1.1.1 / 24

global (dmz,outside) 10.10.107.250 10.10.107.250 netmask 255.255.255.255
global (inside,outside) 10.10.107.238 1.1.1.250 netmask 255.255.255.255,

there are hosts .250 connected on inside and dmz to hangle traffic.

+ Access list "in" on outside permitting everithing to everything
+ nat-control

ASA takes configuring "overlapping" ip ranges on Outside and DMZ without warning and
I can access 10.10.107.250 and 10.10.107.238 successfully from outside

I was changing the mask on outside interface from /8 to /23, and as far as the network 10.10.107.240/28 appears to "outside world" as part of "ASA controlled" range and traffic comes to ASA - everything works fine.

Router would not allow me to configure overlapping ranges, ASA does allow and able to pass traffic, which is good.
Basically the question becomes, is it a bug or a feature?

Thank you,
Alexander

Re: ASA - overlapping IP ranges on outside and dmz interfaces

Kent Heide — Tue, 02 Feb 2010 13:11:26 GMT

Use whatever subnet you wish on the DMZ physically and then you use STATICS to map the addresses to the global pool. Like this.

# Interfaces

Outside: 10.10.104.2/22

DMZ: 192.168.1.0/24

Inside: 1.1.1.1/24

# Maps the local server address 192.168.1.10 to the outside address of 10.10.104.10

static(DMZ,Outside) 192.168.1.10 10.10.104.10 netmask 255.255.255.255

Re: ASA - overlapping IP ranges on outside and dmz interfaces

a.gesse — Tue, 02 Feb 2010 14:45:37 GMT

It is possible to use any addresses on DMZ with proper Static statement, that's right
But my task is to have DMZ with global addresses, (for Microsoft OCS).

I can buy extra range (different from what I have on outside) and put on DMZ. That would work but require extra money.
Or I can use a small range from my existing /22 range on outside interface, and aparently i don't have to change mask on outside.

ASA accepts having overlapping IP ranges on outside and DMZ interfaces, unlike a router.

What the honourable society of cisco asa users thinks about doing that?

Thanks
Alexander

Re: ASA - overlapping IP ranges on outside and dmz interfaces

Kent Heide — Tue, 02 Feb 2010 15:46:51 GMT

What is the specific reason to as why static will not be the solution for you?

Re: ASA - overlapping IP ranges on outside and dmz interfaces

a.gesse — Tue, 02 Feb 2010 16:19:39 GMT

Well, static is still in use, but it is like that, Global IP 64.1.1.101 from DMZ is mapped to itself on Outside:

static (dmz,outside) 64.1.1.101 64.1.1.101 netmask 255.255.255.255

Translations are working fine

My concern is if having overlapping IP spaces on ASA may cause any problem or reduce other functionality

Thanks
Alexander

Re: ASA - overlapping IP ranges on outside and dmz interfaces

Kent Heide — Tue, 02 Feb 2010 16:54:51 GMT

What you are doing there is called an identity NAT. It's basically an exempt if you wish. What is the problem with using a static for translating a local DMZ address to the address you wish to use on the outside interface for the OCS?