Solved: ASA Class C IP addressing, routing subnet design issue, brainstorming, comments welcome!

will · ‎09-26-2012

I am carving up an internet Class C for customer. This class C is used by 3 distinct QA, Corporate and Production firewalls. I want to carve up IP space so there is a /26 for each environment. The issue I have is the firewalls may need communication with each other via the public IP space. Currently I don’t have any L3 switches in between the firewalls and the edge internet router. So with subnetting, it would seem I need to push everything through the internet router for the intra-firewall communication.

I would rather not push this traffic through the edge router, so I came up with an idea to allocate all firewall outside interface IP’s in the 4^th (last remaining) /26. That way, I can allow firewalls to communicate over the primary interface IP’s, which will all be in the same subnet – without going through a routing “engine”/device.

For the actual environment subnets (NAT's on respective firewalls), I create a static route on the edge router pointing to each of the firewall’s primary IP’s for the respective environment routes (the first 3 - /26’s).

This is still a beta design, but I have done this before on small scale when ISP gave me 2 subnets for example, assuming I was going to put a router in between the customer firewall and ISP. I would use the “routed subnet” on the ASA interface, and then pull the NAT’s from the other subnet. The ISP would have to add a static route directing the NAT subnet to the “routed subnet” correct IP - which would be the firewall outside interface primary IP.

I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet. This means the ISP/router will have to assign static ARP entries on the edge router. This can get messy after the first few NAT entries. So I am debating the design now. I think this kind of stuff going forward won’t be worthwhile with newer ASA 8.4.3 code.

Any ideas on how to communicate between different ASA’s, while still carving up the Class C into usable smaller subnets? The primary reason for doing this in the first place is to support routing on the edge router. I am thinking it might be time to ask for another Class C to do the routing functions, and keep the firewalls all at Layer 2 in one /24 - Class C?

Karsten Iwen · ‎09-26-2012

Hi Jon,

the actual version 8.4.4.5 has an option to restore the old behaviour so that you again are able to reply to ARPs from a non-connected subnet. You activate that with the command "arp permit-nonconnected".

@Will: I would tend to Johns Option 1 as it is the more "clean" solution.

Sent from Cisco Technical Support iPad App

View solution in original post

Jon Marshall · ‎09-26-2012

I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet.

That is a surprise especially as using a different subnet than the one used to connect the ASA to the router for NAT is quite a common setup.

Anyway as we are brainstorming here are a couple of options that spring to mind. Please feel free to shoot them down

For both solutions you still have 4 x 26, the first 3 for each firewall to use as NAT and then the last /26 for the firewall interfaces + the ISP internal interface.

Option 1

======

when you allocate the IP to the firewall outside interfaces and the ISP internal interface they come out of the last /26 range but you use a /24 subnet mask. The router will arp out for all addresses within the /24 subnet but the firewalls should only answer via proxy arp for any statically mapped NAT entries that they have. They will answer because the /26 they use for NAT are within the range of their outside interface IP because that is using a /24.

Obviously because the interfaces are in the same /24 range they will be able to talk to each other wihout bouncing off the router.

Option 2

=======

pretty much the same as option 1 except the ISP router uses a /26 subnet and has routes for easch /26 NAT subnet pointing to the relevant firewall. This way you don't have as many arps being sent by the ISP router. The firewalls still have to use a /24 mask to enable them to talk with each other. And the firewalls and router still need to have IPs from the last /26.

Both would need testing and i may have missed something but i would have thought both would work.

Jon

Karsten Iwen · ‎09-26-2012

Hi Jon,

the actual version 8.4.4.5 has an option to restore the old behaviour so that you again are able to reply to ARPs from a non-connected subnet. You activate that with the command "arp permit-nonconnected".

@Will: I would tend to Johns Option 1 as it is the more "clean" solution.

Sent from Cisco Technical Support iPad App

Jon Marshall · ‎09-26-2012

Thanks for the info. I would have been surprised if there wasn't an option to enable proxy-arp for a non-connected subnet.

So no need for either of the options i outlined

Jon

will · ‎09-27-2012

thx jon, karsten. i appreciate the followup. i didn't mention that the 4th - /26 would be subnetted a bit so that the edge router could run on some of the IP's in this range. it wouldn't be a full /26. i kept the model simple so as to not confuse the design more for the sake of discussion. since that last /26 would actually be smaller subnets, the two options from jon would probably not work with the /24 on the firewalls as that would preclude them from routing, for example, to a /32 loopback on the edge router.

in any case, it was someone from cisco tac I believe that mentioned no proxy-arp for non-local subnet. it was in another post here on netpro. looks like cisco thought this was insecure, took feature out, but then put it back in! Sheesh! I'm a little confused, and somewhat concerned. I might just design this with /26's and the firewall interface ip's in the local subnets. That might be the safest choice.

thx again,

Will