09-26-2012 05:41 PM - edited 03-11-2019 04:59 PM
I am carving up an internet Class C for customer. This class C is used by 3 distinct QA, Corporate and Production firewalls. I want to carve up IP space so there is a /26 for each environment. The issue I have is the firewalls may need communication with each other via the public IP space. Currently I don’t have any L3 switches in between the firewalls and the edge internet router. So with subnetting, it would seem I need to push everything through the internet router for the intra-firewall communication.
I would rather not push this traffic through the edge router, so I came up with an idea to allocate all firewall outside interface IP’s in the 4th (last remaining) /26. That way, I can allow firewalls to communicate over the primary interface IP’s, which will all be in the same subnet – without going through a routing “engine”/device.
For the actual environment subnets (NAT's on respective firewalls), I create a static route on the edge router pointing to each of the firewall’s primary IP’s for the respective environment routes (the first 3 - /26’s).
This is still a beta design, but I have done this before on small scale when ISP gave me 2 subnets for example, assuming I was going to put a router in between the customer firewall and ISP. I would use the “routed subnet” on the ASA interface, and then pull the NAT’s from the other subnet. The ISP would have to add a static route directing the NAT subnet to the “routed subnet” correct IP - which would be the firewall outside interface primary IP.
I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet. This means the ISP/router will have to assign static ARP entries on the edge router. This can get messy after the first few NAT entries. So I am debating the design now. I think this kind of stuff going forward won’t be worthwhile with newer ASA 8.4.3 code.
Any ideas on how to communicate between different ASA’s, while still carving up the Class C into usable smaller subnets? The primary reason for doing this in the first place is to support routing on the edge router. I am thinking it might be time to ask for another Class C to do the routing functions, and keep the firewalls all at Layer 2 in one /24 - Class C?
Solved! Go to Solution.
09-26-2012 10:57 PM
Hi Jon,
the actual version 8.4.4.5 has an option to restore the old behaviour so that you again are able to reply to ARPs from a non-connected subnet. You activate that with the command "arp permit-nonconnected".
@Will: I would tend to Johns Option 1 as it is the more "clean" solution.
Sent from Cisco Technical Support iPad App
09-26-2012 06:38 PM
I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet.
That is a surprise especially as using a different subnet than the one used to connect the ASA to the router for NAT is quite a common setup.
Anyway as we are brainstorming here are a couple of options that spring to mind. Please feel free to shoot them down
For both solutions you still have 4 x 26, the first 3 for each firewall to use as NAT and then the last /26 for the firewall interfaces + the ISP internal interface.
Option 1
======
when you allocate the IP to the firewall outside interfaces and the ISP internal interface they come out of the last /26 range but you use a /24 subnet mask. The router will arp out for all addresses within the /24 subnet but the firewalls should only answer via proxy arp for any statically mapped NAT entries that they have. They will answer because the /26 they use for NAT are within the range of their outside interface IP because that is using a /24.
Obviously because the interfaces are in the same /24 range they will be able to talk to each other wihout bouncing off the router.
Option 2
=======
pretty much the same as option 1 except the ISP router uses a /26 subnet and has routes for easch /26 NAT subnet pointing to the relevant firewall. This way you don't have as many arps being sent by the ISP router. The firewalls still have to use a /24 mask to enable them to talk with each other. And the firewalls and router still need to have IPs from the last /26.
Both would need testing and i may have missed something but i would have thought both would work.
Jon
09-26-2012 10:57 PM
Hi Jon,
the actual version 8.4.4.5 has an option to restore the old behaviour so that you again are able to reply to ARPs from a non-connected subnet. You activate that with the command "arp permit-nonconnected".
@Will: I would tend to Johns Option 1 as it is the more "clean" solution.
Sent from Cisco Technical Support iPad App
09-26-2012 11:23 PM
Thanks for the info. I would have been surprised if there wasn't an option to enable proxy-arp for a non-connected subnet.
So no need for either of the options i outlined
Jon
09-27-2012 10:40 AM
thx jon, karsten. i appreciate the followup. i didn't mention that the 4th - /26 would be subnetted a bit so that the edge router could run on some of the IP's in this range. it wouldn't be a full /26. i kept the model simple so as to not confuse the design more for the sake of discussion. since that last /26 would actually be smaller subnets, the two options from jon would probably not work with the /24 on the firewalls as that would preclude them from routing, for example, to a /32 loopback on the edge router.
in any case, it was someone from cisco tac I believe that mentioned no proxy-arp for non-local subnet. it was in another post here on netpro. looks like cisco thought this was insecure, took feature out, but then put it back in! Sheesh! I'm a little confused, and somewhat concerned. I might just design this with /26's and the firewall interface ip's in the local subnets. That might be the safest choice.
thx again,
Will
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide