cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

809
Views
0
Helpful
4
Replies
dovla091
Beginner

ASA NAT between two public IPs

Hi,

 

I have one (probably for you guys/girls) very basic question to ask. I have never tried it myself as I don't currently posses ASA, but in my company we have really weird network configuration which is super difficult to fix at this point as I have large number of servers, network devices, etc to modify and configure with different IPs (unless I make parallel network which I will eventually do). For some reason previous IT engineers or should I say "engineers wanna be", implemented 1 WAN address with public IP (for easier interpretation lets say 194.190.10.25/30) and 1 internal address (again with public IP addressing schema -> 135.80.101.35/23 I don't know why they didn't simply use private IP addressing of A, B or C class and follow some general rules). So in short, I have used Cisco Packet Tracer 7.2 to simulate configuration on 5506, but I assume that PT application is not exactly the same as the real ASA... Is there a constraint in models such as 5516x in regards to set 2 interfaces with 2 public addresses and make PNAT or SNAT between, with access lists, VPN connections and other most common things that you set in today's firewalls?

 

Will firmware block me of creating interface with 2 public interfaces and NAT between them or there are no constraints...?

Also, If I remember, Cisco ASA's DHCP server have limit to 254 IPs per network or did they fixed that and allow to have larger network than /24? (I know that I have possibility of DHCP-relay to dedicated DHCP server, but I would like to know if the same constraint is still applicable)

 

Thank you in advance and have yourself a great weekend,

Warmest regards

 

1 ACCEPTED SOLUTION

Accepted Solutions

this is possible. it will work. your inside have public ip address ASA will not complain on this and outside have (real) public ip address so when you do a dynamic pnat it will work. is this you public ip give to your by your ISP or it was a cow-boy work.

 

as packet from inside will come and go to outside ASA will mask ip real ip and use the real public ip and forward to internet as its a stateful firewall session will be long in cache of ASA so returen traffic will come same path.

 

please do not forget to rate.

View solution in original post

4 REPLIES 4
Sheraz.Salim
VIP Advocate

s there a constraint in models such as 5516x in regards to set 2 interfaces with 2 public addresses and make PNAT or SNAT between, with access lists, VPN connections and other most common things that you set in today's firewalls?

 

you can use one  interface on the ASA 5516-x as outside and assign public ip address to it. you can do NAT eith PNAT or SNAT for the servers you have in DMZ/INSIDE or you can use the other spare public ip for this purpose. remember each network is different and have different solution. once you gather all the information than you can ask us what your desire and we are here to help you. 

 

 

Will firmware block me of creating interface with 2 public interfaces and NAT between them or there are no constraints...?

 

depends what are you requirement. I am not going in deep detail when there is no network design .

 

 

Also, If I remember, Cisco ASA's DHCP server have limit to 254 IPs per network or did they fixed that and allow to have larger network than /24? (I know that I have possibility of DHCP-relay to dedicated DHCP server, but I would like to know if the same constraint is still applicable)

 

DHCP-relay is support in ASA. also does the DHCP though.

 

please do not forget to rate.

Well the thing is. I know that I can use 1 or more interface for WAN and make NAT and everything else with internal interfaces (usually people stick with private IP scope from either A, B or C class). In my current company they use Unix/Linux OS to run as a router/firewall, and since it was done by non professionals they have used public IP for WAN (obviously as it is connected to ISP gateway) and again different public IP for internal Network. So instead using let's say 192.168.1.0/23 they used public IP 123.123.123.0/23 for internal interface. On Linux box you can set any IP you want on the interface (you have no constraints saying - that's internal interface, you cannot use public class IP, you need to use private IPs from either classe A, B or C). What I was wondering does ASA complain if I use "public" IP 123.123.123.0/23 for internal interface or simply doesn't care...? (Talking about version 9.x)


Example config: (please keep in mind that I don't have ASA here with me, so some commands can be wrong as I am doing it from my head/memory)

>config t
>interface GigabitEthernet 1/1
>nameif outside
>ip address 190.11.55.72 255.255.255.252
> security lvl 0
> no shut
>exit
>interface GigabitEthernet 1/2
>nameif inside
>ip address 123.123.123.1 255.255.254.0
>security lvl 100
>no shut
>exit
>object xxxx name
>subnet 123.123.123.0 255.255.254.0
>nat (inside,outside) dynamic interface
>exit

also implementing access lists to allow traffic to flow...

So in short, will ASA allow me to create interfaces and do NAT (PNAT/SNAT), access lists between 2 interfaces which both uses public IPs like in example, or will it complain and not allow me to create them...?



(I hope you did understand what I am trying to say). :)

P. S. Sorry if my first question made you confused.

this is possible. it will work. your inside have public ip address ASA will not complain on this and outside have (real) public ip address so when you do a dynamic pnat it will work. is this you public ip give to your by your ISP or it was a cow-boy work.

 

as packet from inside will come and go to outside ASA will mask ip real ip and use the real public ip and forward to internet as its a stateful firewall session will be long in cache of ASA so returen traffic will come same path.

 

please do not forget to rate.

View solution in original post

Hi again. I believe it's cowboys work. Cannot imagine that ISP would do such a thing as its nonsense to me...

That's a good news then. I can do PNAT, SNAT, VPN, ACL, etc... So then, I will replace my current Linux box with something professional. At first, I'll use same IP schema, and in parallel create new network. Do the routing between two networks and then gradually move the (configure) servers for the new network.

Thank you once again and have a great weekend

Content for Community-Ad