Cisco ASA question,
if I can carve small range of global IP addresses from big IP range that exists on outside and put this small range to dmz interface?.
The task is to have a few servers assigned global IP but have them behind a firewall so we can control traffic towards them.
Well, apparently it is doable,wondering if there are any drawbacks with that?
10.x.x.x it this test represent globally routable IP addresses from ISP
Three-interface ASA used for testing in the LAB:
Outside: 10.10.104.2 / 22
Dmz: 10.10.107.241 / 28 <- within "outside" ip range
Inside: 220.127.116.11 / 24
global (dmz,outside) 10.10.107.250 10.10.107.250 netmask 255.255.255.255
global (inside,outside) 10.10.107.238 18.104.22.168 netmask 255.255.255.255,
there are hosts .250 connected on inside and dmz to hangle traffic.
+ Access list "in" on outside permitting everithing to everything
ASA takes configuring "overlapping" ip ranges on Outside and DMZ without warning and
I can access 10.10.107.250 and 10.10.107.238 successfully from outside
I was changing the mask on outside interface from /8 to /23, and as far as the network 10.10.107.240/28 appears to "outside world" as part of "ASA controlled" range and traffic comes to ASA - everything works fine.
Router would not allow me to configure overlapping ranges, ASA does allow and able to pass traffic, which is good.
Basically the question becomes, is it a bug or a feature?
Use whatever subnet you wish on the DMZ physically and then you use STATICS to map the addresses to the global pool. Like this.
# Maps the local server address 192.168.1.10 to the outside address of 10.10.104.10
static(DMZ,Outside) 192.168.1.10 10.10.104.10 netmask 255.255.255.255
It is possible to use any addresses on DMZ with proper Static statement, that's right
But my task is to have DMZ with global addresses, (for Microsoft OCS).
I can buy extra range (different from what I have on outside) and put on DMZ. That would work but require extra money.
Or I can use a small range from my existing /22 range on outside interface, and aparently i don't have to change mask on outside.
ASA accepts having overlapping IP ranges on outside and DMZ interfaces, unlike a router.
What the honourable society of cisco asa users thinks about doing that?
Well, static is still in use, but it is like that, Global IP 22.214.171.124 from DMZ is mapped to itself on Outside:
static (dmz,outside) 126.96.36.199 188.8.131.52 netmask 255.255.255.255
Translations are working fine
My concern is if having overlapping IP spaces on ASA may cause any problem or reduce other functionality
What you are doing there is called an identity NAT. It's basically an exempt if you wish. What is the problem with using a static for translating a local DMZ address to the address you wish to use on the outside interface for the OCS?