09-09-2010 08:38 AM - edited 03-11-2019 11:37 AM
Hi,
My internet provider provides one /30 network and one /24 network over one link. No VLAN tagging is done by them. I would like not to use PAT and internal IP's on the DMZ, but to let DMZ hosts use IP's in the /24 network. I figure the ASA must know that incoming and outgoing traffic to and for the /24 should be routed to the DMZ. As I have no ASA in front of me now, I wonder if a static route on outside interface would be sufficient?
ASA primary WAN IP: 1.2.3.4
ASA DMZ interface IP: 5.6.7.1
ASA /24 network that goes to DMZ: 5.6.7.0/24
LAN: 10.10.10.0/24
Would something like this route be sufficient?
ciscoasa(config-if)# route outside 5.6.7.0 255.255.255.0 5.6.7.1
09-09-2010 09:05 AM
You will not need to route traffic directly connected. You only need the default gateway.
If you are going to use the public IP in your DMZ then you will need to do NO nAT
ie.
access-list nonat per ip 5.6.7.0 255.255.255.0 any
nat (dmz) 0 access-list nonat
That should work for outbound traffic
for inbound traffic you will need an ACL in your outside to permit the traffic.
BTW you cannot route traffic based on the source only based on the destination. (in the ASA)
09-09-2010 09:07 AM
Can you draw your topology to understand better?
09-09-2010 09:42 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: