01-06-2014 05:10 AM - edited 03-11-2019 08:25 PM
Hi all
Please se attached drawing hope you understand it.
I have a FrontEnd Firewall (ASA 5510). Outside Interface on this firewall is connected to ISP edge router with a /30 network in between.
The FrontEnd Firewalls Inside interface is in a /28 network (public ip adresses) this /28 is static routed by my ISP to the FrontEnd Firewalls Outside Interface and Proxy Arp is enabled.
I now need more public IP's on the DMZ network Between the FrontEnd and the Backend Firewall. My ISP has static routed another /29 network to my FrontEnd Firewall Outside interface.
But how do i route this new network assigned by my ISP, the FrontEnd Firewall Inside interface can only be in one subnet not two different subnets at once? Is there som clever solution or do i have to add the new subnet to a new psyical Interface on the FrontEnd Firewall?
Best Regards
Steffen.
Solved! Go to Solution.
01-06-2014 06:01 AM
Steffen
Backend Firewall is running NAT so clients can access the internet with one public IP (from the DMZ) but the servers in the DMZ zone i assigned Real Public IP's because they are webservers in the DMZ.
No problem. You could still use private addressing and NAT on the front end firewall for the servers, which is a common setup, but it doesn't matter.
So what i'm understand from you and Jouni is that i need to create a new DMZ zone on a new interface (or use trunk and VLAN on my DMZ switch)?
Yes, although Jouni also gave another option but i have never tried that so i didn't comment. Another DMZ would be the option i would recommend, either using a new interface on the ASA or by trunking if you don't have a spare interface.
Jon
01-06-2014 05:33 AM
Hi,
Even though you have shared the picture of the setup I am not 100% sure of it. Are you saying that you have a network with hosts/servers between the 2 firewalls?
Typically Proxy ARP would be used on the Internet edge of the firewall towards the ISP. Now what you want to achieve is essentially have a "secondary" network on the "inside" interface of the Front End Firewall.
One option that was used in the older softwares and I guess will work with the newer softwares would be to do the following
For example network 2.2.2.0/29
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.240
arp inside 2.2.2.1 aaaa.bbbb.cccc alias
route inside 2.2.2.0 255.255.255.248 1.1.1.1
You could test this out.
Not a really suggestable approach to get this done.
Another option might be to configure a new DMZ on the Front End Firewall
- Jouni
01-06-2014 05:48 AM
Steffen
I'm not clear on whether you want the /29 and the /28 to be seen as the same subnet ?
Usually private IPs are used for real IPs and then you use the public IPs for NAT on the front end firewall. Then,as long as the ISP routes the public subnets to your front end firewall you can simply use them for NAT and have all your actual devices using a private IP range.
If you do the above then running out of public IPs just means getting a new range.
But it looks like you have assigned the devices real public IPs from the /28 range. Now you want additional IPs to assign to real devices.
The best solution is, as Jouni says, create a new DMZ for the new public IP range. If you don't have spare interfaces then you could look to use a trunk link between the switch (i'm assuming there is one) and the inside interface of the front end firewall and then have subinterfaces for each public IP range.
This would obviously require some downtime whilst it was configured.
Note also that if there is a chance of running out of public IPs again then it may be better to use private addressing for the new subnet and simply use the new public IPs for NAT on the front end firewall although this would mean having different setups for your existing public IPs and new public IPs so you may want to stay consistent with your current design and simply assign the new public IPs to the actual devices.
Jon
01-06-2014 05:54 AM
Hi Jon
Backend Firewall is running NAT so clients can access the internet with one public IP (from the DMZ) but the servers in the DMZ zone i assigned Real Public IP's because they are webservers in the DMZ.
So what i'm understand from you and Jouni is that i need to create a new DMZ zone on a new interface (or use trunk and VLAN on my DMZ switch)?
Regards Steffen.
01-06-2014 05:59 AM
Hi
From the perspective of the ASA and rest of the network it would probably be simpler to setup a new DMZ network on the ASA itself.
Naturally you can try the configuration I provided if possible but as I said its not really something that would be suggestible in a production environment. I usually run into such thing when there is no real other option in the short term to get things working for the user/customer.
- Jouni
01-06-2014 06:01 AM
Steffen
Backend Firewall is running NAT so clients can access the internet with one public IP (from the DMZ) but the servers in the DMZ zone i assigned Real Public IP's because they are webservers in the DMZ.
No problem. You could still use private addressing and NAT on the front end firewall for the servers, which is a common setup, but it doesn't matter.
So what i'm understand from you and Jouni is that i need to create a new DMZ zone on a new interface (or use trunk and VLAN on my DMZ switch)?
Yes, although Jouni also gave another option but i have never tried that so i didn't comment. Another DMZ would be the option i would recommend, either using a new interface on the ASA or by trunking if you don't have a spare interface.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide