https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885476#M958790 <HTML><HEAD></HEAD><BODY><P>Technically, what you want is possible. But for efficently using ASA, you should meet the following requirements</P><P> 1)Inside and outside interfaces should be in different networks</P><P> 2)If all hosts including the seperated 6 will be pluuged into 1 switch, then you should apply VLANs. Or use a different hub or switch for these 6 hosts</P><P></P><P>Regards</P></BODY></HTML> Wed, 12 Dec 2007 20:11:20 GMT Alan Huseyin Kayahan 2007-12-12T20:11:20Z https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885473#M958787 <P>Hello all,</P><P></P><P>I just wanted to know a basic answer I guess... does the ASA5510 only act as a routing device or can I deploy it within a network already having a router as a gateway?</P><P>I already have a network setup with around 100 hosts (out of 254). I have to deploy the firewall on 6 hosts within it, can I just assign IP addresses to its external and internal interface from within the network and connect those hosts to its internal interface ?</P><P>Or do I have to set it up as a gateway for those hosts ?</P><P></P><P>Murtaza</P> Mon, 11 Mar 2019 11:42:52 GMT https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885473#M958787 csco11029214 2019-03-11T11:42:52Z https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885474#M958788 <HTML><HEAD></HEAD><BODY><P>Hi Murtaza</P><P> Sure you can. Tell us what exactly you want to achieve so that we can help in design.</P><P></P><P>Regards</P></BODY></HTML> Wed, 12 Dec 2007 15:24:08 GMT https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885474#M958788 Alan Huseyin Kayahan 2007-12-12T15:24:08Z https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885475#M958789 <HTML><HEAD></HEAD><BODY><P>Hello Husy,</P><P></P><P>I have 6 hosts on a network 31.8 - 31.13 , I want these hosts to be behind the ASA5510 so is it possible to connect the external interface of the ASA5510 to the switch and then the 6 hosts to its internal interface? The other hosts still remain connected to the switch. </P><P>So the ASA just acts as a bridge I guess and if I address it's external interface as 31.6 and the internal interface as 31.7 and the required hosts connected through a hub to 31.7, will the firewall server the purpose this way ?</P><P></P><P>Regards,</P><P>Murtaza</P></BODY></HTML> Wed, 12 Dec 2007 17:14:16 GMT https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885475#M958789 csco11029214 2007-12-12T17:14:16Z https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885476#M958790 <HTML><HEAD></HEAD><BODY><P>Technically, what you want is possible. But for efficently using ASA, you should meet the following requirements</P><P> 1)Inside and outside interfaces should be in different networks</P><P> 2)If all hosts including the seperated 6 will be pluuged into 1 switch, then you should apply VLANs. Or use a different hub or switch for these 6 hosts</P><P></P><P>Regards</P></BODY></HTML> Wed, 12 Dec 2007 20:11:20 GMT https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885476#M958790 Alan Huseyin Kayahan 2007-12-12T20:11:20Z https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885477#M958791 <HTML><HEAD></HEAD><BODY><P>Ok, that means what I am thinking of doing is not possible on the same network within a single switch. What about Passive and Active firewall, can I achieve that if the firewall is mad Passive ?</P><P></P><P>Regards</P></BODY></HTML> Thu, 13 Dec 2007 12:37:11 GMT https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885477#M958791 csco11029214 2007-12-13T12:37:11Z https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885478#M958792 <HTML><HEAD></HEAD><BODY><P>Please explain in details what you want to do with ASA, what benefits of ASA do you need and why do you seperate these 6 hosts. And what is the model of your switch?</P></BODY></HTML> Thu, 13 Dec 2007 12:43:41 GMT https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885478#M958792 Alan Huseyin Kayahan 2007-12-13T12:43:41Z https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885479#M958793 <HTML><HEAD></HEAD><BODY><P>Ok, we have around 200 servers on the network 31.0 - 31.255 at the DC. One of our clients having 6 servers within needs his servers to be secured by ASA5510 with ACLs and Crypto tunnels. I have configured the firewall but I was looking for a way to deploy the firewall on those servers without actually changing the IP addresses of the servers.</P><P>Being technically aware that I should create a /29 subnet for the 6 servers and then deploy the firewall as the gateway, I was looking for a workaround as the guys at the data center will not put efforts in subnetting and I can not do it remotely.</P><P></P><P>Regards,</P></BODY></HTML> Thu, 13 Dec 2007 12:58:18 GMT https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885479#M958793 csco11029214 2007-12-13T12:58:18Z https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885480#M958794 <HTML><HEAD></HEAD><BODY><P></P><P>Does any one have any suggestion for my situation ?</P><P></P><P>Regards,</P><P>Murtaza</P></BODY></HTML> Fri, 14 Dec 2007 11:53:03 GMT https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885480#M958794 csco11029214 2007-12-14T11:53:03Z https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885481#M958795 <HTML><HEAD></HEAD><BODY><P>Murtaza</P><P> You really should make changes on infrastructure while adding a firewall doesnt matter if it is PIX, Microsoft ISA or etc. What you want achieve is a Demilitarized Zone (DMZ) for these 6 servers take place. But you can not assign IP adresses to two different interfaces in same network. Each interface should have different netwokrs.</P><P> Besides as you know, a host do not require a gateway to pass through if the destination host is in same network, so firewall would not function in this case.</P><P> A scruffy workaround is, adding another PIX or router, creating a network between, then creating one-to-one NATs like</P><P></P><P>x.x.31.8-- --172.16.1.8--R--x.x.31.8</P><P>x.x.31.9--A--172.16.1.9--O--x.x.31.9</P><P>x.x.31.10-S--172.16.1.10-U--x.x.31.10</P><P>x.x.31.11-A--172.16.1.11-T--x.x.31.11</P><P>x.x.31.12- --172.16.1.12-E--x.x.31.12</P><P>x.x.31.13- --172.16.1.13-R--x.x.31.13</P><P></P><P>^_______^ ^___________^ ^___________^</P><P> DMZ CO-NETWORK REAL NETWORK</P><P> </P><P>The CO-Network will be unseen for both real network and DMZ. ASA's outside interface is directly connected to router's inside interface. And router's outside interface is connected to real network.</P><P> There is no other way than that. </P><P></P><P>Regards</P></BODY></HTML> Fri, 14 Dec 2007 14:12:39 GMT https://community.cisco.com/t5/network-security/asa-routing-network-addressing/m-p/885481#M958795 Alan Huseyin Kayahan 2007-12-14T14:12:39Z