Hi AJ,

The intention not to load balance, it use for servers. The previous public IP provide by ISP.

Same ISP and no criteria as long as can pass outside and communicate internallly.

What is mutilple context example and PBR ?

No need transparent mode ? since we have 4 subnet require 4 BVi and 4 cable from switch to ASA port right ? current at juniper only has one LAN cable but already serve for 4 subnet

Thanks

You will need the ASA in routed mode since you have LAN and WAN in different subnets, so transparent is not an option.

So, you mean to say that ASA will have one LAN interface, one WAN interface with default gateway and the 3 other ISP does not need to terminate on ASA and you just need to use those for mapping to internal servers?

If yes, this is possible without multiple context or transparent mode/BVI. Let me know if that is the case and I can explain more about it.

-AJ

Hi AJ,

thanks.

Current we have 4 public ip as below.

203.x.x.32/28
210.x.x.160/29
210.x.x.80/29
210.x.x.192/29

We have 2 port at current Juniper FW...1 outside and 1 inside...( attached is the screnshot at juniper ), we will follow this setup for new ASA..I will swap the firewall in 20 minutes...attachhed also my interface setup for ASA...

firewall will be access by ip 203..x.x.46

we only has 1 ISP but they give us 4 spublic ip subnet..each subnet the gateway at ISP...

i only can think of BVi..but right now only has 1 cable to inside....

hope can help me thank you AJ..

screnshot attached at juniper = static route & Interfaces

Yeah, so the final design will be:

inside interface - lan segment

outside interface - wan ip 203..x.x.46 and default gateway the same as in case of juniper firewall.

Now, for the additional subnets, you would need to use those subnets in NAT as you would have in case of juniper. ASA with help of one additional command (arp permir-nonconnected), will be able to proxy arp for the those subnets even if it is not configured on ASA. So, that should work fine. This is using the single, routed mode. No need for transparent mode or BVI.

HTH

-AJ

Hi AJ,

my interface for inside ASA is correct right ? no need to put any ip and only outside put IP...( to access ASa )

Can help me to advice example of NAT for 3 public IP ? i have no idea because current server NIC config by Public IP..

i will research on arp permit-nonconnected

Thanks

FYI...at juniper no configuration for 3 public IP it auto put at NIC server..only have to configure access-list to communicate...

if NAt how about access-list...the 4 subnet will be same zone ?

The other 3 subnets only need to be defined in NAT statements and not on ASA outside interface. Outside interface config is correct, just add a default gateway same as juniper device.

regarding NAT, based on requirement, you can refer to below link:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

-AJ

Hi AJ,

Which NAt should we using hope can help.

• Section 1 - Twice NAT / Manual NAT
• Section 2 - Network Object NAT
• Section 3 - Twice NAT / Manual NAT

Hi AJ,

i have swap the firewall and able to acess firewall from outside but unable to reach all servers..can advice which NAT ( attached )

Hello,

If you need one-to-one nat statement, I would suggest using 

• Section 2 - Network Object NAT

If you need internet access for your internal hosts, you can achieve the same using the section 2 NAT. 

From the link:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

if you want to create NAT for internal server(10.1.1.6) lets say on public ip 192.168.100.100, you will need something like below:

object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100    

also, access-list need to allow for real ip address. in this case it will be 10.1.1.6

example:

access-list out_in permit tcp any host 10.1.1.6 eq 80

access-group out-in in interface outside

HTH

-AJ

Hi AJ,

FYI im using public ip at NIC card server..

should we nat one to one with public ip...static ?

So, you plan to add those public ip address from 3 other ISP on the servers directly?

if that is the case, where is the gateway going to be? I am assuming that those servers are on inside segment, please clarify

Since your inside segment is different i.e. 192.168.1.0/24, the 3 other subnets you can use by NATing on ASA(static nat). 

-AJ

yup 3 subnet also at server directly...

203.x.x.32/28 --> 1 ip as management to access fw 203.x.x.46, also server inside got 203.x.x.32/28 
210.x.x.160/29
210.x.x.80/29
210.x.x.192/29

now i config as transparent mode and set BVI 1 203.x.x.46 <-- to access

interface inside i change to brige-group 1....ip set to 203.x.x.32/28 ..

able to access 203.x.x.32/28  range only others 3 subnet cant...

i plan now to put 3 more cable from fw port to switch....for 3 more subnet and create 3 more BVI...

but for tranparent i cant setup IPsec VPN ? i have VPN in production now...

or should we focus on route mode ?