ASA - block of 8 ip's and no nat

louis0001 · ‎01-14-2016

Hi,

we have a block of 8 ip's and a DMZ setup on an ASA 5510. We're using static NAT to forward ports onto hosts in the DMZ but I was wondering if it was possible to assign one of these hosts one of the public ip's directly rather than use a private ip address and static NAT?
Would there be any advantage to this?

Philip D'Ath · ‎01-14-2016

You would have to configure the block on an actual ASA interface before you could configure the public IP address directly on the host.

louis0001 · ‎01-14-2016

Hi, we already have the block of 8 ip's configured on the outside interface. Currently, we're using static nat to reach the internal hosts in the DMZ but we're told that you don't need to use this all of the time eg we have another host and we're told that this can use an external ip (which is obviously set on the host itself) rather than a private ip and static nat.
We've not done this before so are wondering how you would go about this in the ASA. Obviously the ASA would still be doing the firewalling and access rules to host.

Philip D'Ath · ‎01-15-2016

You would need to move the block of IP's to an interface, and ask the ISP to route them via your outside interface. You will loose the network and broadcast addresses, plus one for the ASA, so you would be left with 5 usable IP address.

Karsten Iwen · ‎01-14-2016

This is how it's typically done:

You need two ip networks from your ISP. One for the transfer link ISP-router <-> ASA and one for the DMZ.
Your ISP routes the second network to the public IP of your ASA.
On the ASA you just have to make sure that there is no NAT configured for (DMZ,outside).
the DMZ is configured to use the second IP network from your ISP. Access-control is done as always.