Solved: BT BUSINESS FIBRE (INFINITY) NO NAT 5

veltech · ‎07-01-2012

We have a client who has just got the BT business fibre that provides 5 usable static IP addresses, often referred to as "NO NAT 5". We are familiar with setting up the BT business connections with a PPPoE config on the outside interface connected directly to the BT Modem but where only one static IP address is used. However, this No NAT 5 product is a little more tricky. They assign a 255.255.255.248 mask giving the standard 8 addresses, of the 6 host addresses one is used on the ASA inside interface with NO NAT. The outside interface of the ASA gets a dynamic IP address from BT using DHCP which changes periodicaly, so in effect BT host the public addresses then send all traffic to the DHCP address assigned to the connection. My question is simply does anyone have a sample config showing how to configure the inside interfaces to route the various public IP addresses. For example our client has a web server which needs a NO NAT set up with the public IP address on the inside. They also have a LAN scope of 172.16.0.0/24 which is running NAT but uses one of the public IP addresses to access things like RDP to their server with port redirection. Any suggestions and help with the config greatly appreciated.

Jennifer Halim · ‎07-05-2012

All you need to do is configure NAT using those public ip addresses on the ASA firewall for those servers/hosts that you need access from the Internet.

View solution in original post

Jennifer Halim · ‎07-01-2012

Instead of using one of the address on the ASA inside interface, I would just use all the addresses to configure NAT for your server. That means you don't have to physically configure the server with the public IP, and not wasting an extra public IP on the ASA inside interface.

veltech · ‎07-04-2012

Sorry for delay getting back on this one. The only reason we were looking at using one of the public addresses on the inside is because BT provide one address for the router or firewall, which then leaves 5 public IP addresses. The outside interface always gets a dynamic address via the DHCP setup, there is no other way according to BT. This client wants a number of devices and networks on the inside which is why they got the No NAT 5 product. We have suggested a single address and then redirect ports, but they insist doing it this way. We wanted to avoid NAT on the web server, but other inside networks can run NAT. Any thoughts on how the config might look?

Jennifer Halim · ‎07-05-2012

Not quite sure i understand why you have to use one ip address on the firewall if you are not routing to that one ip address.

As i understand your ASA outside is a DHCP address and BT is routing the "No NAT 5" public ip addresses to your ASA outside DHCP address, is that correct?

Eg:

ASA outside gets public IP of 200.1.1.1, and the No NAT 5 is 100.1.1.0/29, then is BT routing 100.1.1.0/29 to 200.1.1.1?

veltech · ‎07-05-2012

Yes, that's correct BT assign a dynamic address to the outside interface obtained via DHCP and then route all traffic from the public IP address range to the dynamic address they have assigned. They call this dynamic peering. We have been looking at static routes for each public IP address and possible VLANs to handle each subnet behind the public address. It would seem that the IP address from the public range is in fact only needed on the BT router, so we think that 6 addresses are available. If this is correct then we can just set up standard config to route the public address back to the inside. Unfortunately we have 4 connections in our Lab of different specifications, but not one of these products, and we want to make sure this all works before going on site.

Thanks.

Jennifer Halim · ‎07-05-2012

All you need to do is configure NAT using those public ip addresses on the ASA firewall for those servers/hosts that you need access from the Internet.

veltech · ‎07-07-2012

Thanks for your help with this one.