cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
346
Views
0
Helpful
3
Replies

Let DMZ have a public network, static route?

3moloz123
Level 1
Level 1

Hi,

My internet provider provides one /30 network and one /24 network over one link. No VLAN tagging is done by them. I would like not to use PAT and internal IP's on the DMZ, but to let DMZ hosts use IP's in the /24 network. I figure the ASA must know that incoming and outgoing traffic to and for the /24 should be routed to the DMZ. As I have no ASA in front of me now, I wonder if a static route on outside interface would be sufficient?

ASA primary WAN IP: 1.2.3.4

ASA DMZ interface IP: 5.6.7.1

ASA /24 network that goes to DMZ: 5.6.7.0/24

LAN: 10.10.10.0/24

Would something like this route be sufficient?

ciscoasa(config-if)# route outside 5.6.7.0 255.255.255.0 5.6.7.1

3 Replies 3

You will not need to route traffic directly connected. You only need the default gateway.

If you are going to use the public IP in your DMZ then you will need to do NO nAT

ie.

access-list nonat per ip 5.6.7.0 255.255.255.0 any

nat (dmz) 0 access-list nonat

That should work for outbound traffic

for inbound traffic you will need an ACL in your outside to permit the traffic.

BTW you cannot route traffic based on the source only based on the destination. (in the ASA)

Can you draw your topology to understand better?

Not very good at drawings, added an exchange server in DMZ. Hope it makes it more clear.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: