05-09-2017 09:32 PM - edited 03-12-2019 02:20 AM
Hi,
Currently i have network install by Juniper firewall and plan to change to Cisco 5516-x ( 9.6 ).
Current setup at Juniper-->
Server NIC configure by public IP
Public IP have different 4 subnet ( 203.x.x.32/28 , 210.b.c.160/29 , 210.b.c.80/29, 210.b.c.192/29 )
Each subnet have dedicated gateway provide by ISP. Server has different subnet depend on IP range above.
We access firewall from outside by 203.x.x.46
Default route 0.0.0.0 0.0.0.0 203.x.x.33
Firewall only has 2 cable to uplink( outside) and INSIDE ( LAN )
As for new ASA firewall we plan to remain the same setup as above.
1. Should we configure the ASA to transparent mode ?
2. The link below only show setup transparent mode for 1 subnet, how about we have 4 subnet ?
Is it require 4 vlan inside ?
http://ciscoasafirewall.blogspot.my/2011/06/cisco-asa-firewall-in-transparent.html
3. The version 9.6 require BVI ?
Thanks
05-10-2017 06:26 AM
Hello,
Since you have a LAN and 4 WAN connections with their own default gateway.
Is the intention to load balance traffic - like source based routing. So, what path does LAN takes to go to internet, I mean which ISP and what is the criteria.
Depending on the traffic segregation, you could create multiple contexts as well. Or simply perform source based routing(PBR on ASA) in single mode firewall.
-AJ
05-10-2017 08:25 AM
Hi AJ,
The intention not to load balance, it use for servers. The previous public IP provide by ISP.
Same ISP and no criteria as long as can pass outside and communicate internallly.
What is mutilple context example and PBR ?
No need transparent mode ? since we have 4 subnet require 4 BVi and 4 cable from switch to ASA port right ? current at juniper only has one LAN cable but already serve for 4 subnet
Thanks
05-10-2017 08:29 AM
You will need the ASA in routed mode since you have LAN and WAN in different subnets, so transparent is not an option.
So, you mean to say that ASA will have one LAN interface, one WAN interface with default gateway and the 3 other ISP does not need to terminate on ASA and you just need to use those for mapping to internal servers?
If yes, this is possible without multiple context or transparent mode/BVI. Let me know if that is the case and I can explain more about it.
-AJ
05-10-2017 08:43 AM
Hi AJ,
thanks.
Current we have 4 public ip as below.
203.x.x.32/28
210.x.x.160/29
210.x.x.80/29
210.x.x.192/29
We have 2 port at current Juniper FW...1 outside and 1 inside...( attached is the screnshot at juniper ), we will follow this setup for new ASA..I will swap the firewall in 20 minutes...attachhed also my interface setup for ASA...
firewall will be access by ip 203..x.x.46
we only has 1 ISP but they give us 4 spublic ip subnet..each subnet the gateway at ISP...
i only can think of BVi..but right now only has 1 cable to inside....
hope can help me thank you AJ..
screnshot attached at juniper = static route & Interfaces
05-10-2017 08:49 AM
Yeah, so the final design will be:
inside interface - lan segment
outside interface - wan ip 203..x.x.46 and default gateway the same as in case of juniper firewall.
Now, for the additional subnets, you would need to use those subnets in NAT as you would have in case of juniper. ASA with help of one additional command (arp permir-nonconnected), will be able to proxy arp for the those subnets even if it is not configured on ASA. So, that should work fine. This is using the single, routed mode. No need for transparent mode or BVI.
HTH
-AJ
05-10-2017 08:53 AM
Hi AJ,
my interface for inside ASA is correct right ? no need to put any ip and only outside put IP...( to access ASa )
Can help me to advice example of NAT for 3 public IP ? i have no idea because current server NIC config by Public IP..
i will research on arp permit-nonconnected
Thanks
05-10-2017 08:56 AM
FYI...at juniper no configuration for 3 public IP it auto put at NIC server..only have to configure access-list to communicate...
if NAt how about access-list...the 4 subnet will be same zone ?
05-10-2017 09:09 AM
The other 3 subnets only need to be defined in NAT statements and not on ASA outside interface. Outside interface config is correct, just add a default gateway same as juniper device.
regarding NAT, based on requirement, you can refer to below link:
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
-AJ
05-10-2017 09:19 AM
Hi AJ,
Which NAt should we using hope can help.
05-10-2017 09:26 AM
05-10-2017 10:14 AM
Hello,
If you need one-to-one nat statement, I would suggest using
If you need internet access for your internal hosts, you can achieve the same using the section 2 NAT.
From the link:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
if you want to create NAT for internal server(10.1.1.6) lets say on public ip 192.168.100.100, you will need something like below:
object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 192.168.100.100
also, access-list need to allow for real ip address. in this case it will be 10.1.1.6
example:
access-list out_in permit tcp any host 10.1.1.6 eq 80
access-group out-in in interface outside
HTH
-AJ
05-10-2017 10:22 AM
Hi AJ,
FYI im using public ip at NIC card server..
should we nat one to one with public ip...static ?
05-10-2017 10:29 AM
So, you plan to add those public ip address from 3 other ISP on the servers directly?
if that is the case, where is the gateway going to be? I am assuming that those servers are on inside segment, please clarify
Since your inside segment is different i.e. 192.168.1.0/24, the 3 other subnets you can use by NATing on ASA(static nat).
-AJ
05-10-2017 10:45 AM
yup 3 subnet also at server directly...
203.x.x.32/28 --> 1 ip as management to access fw 203.x.x.46, also server inside got 203.x.x.32/28
210.x.x.160/29
210.x.x.80/29
210.x.x.192/29
now i config as transparent mode and set BVI 1 203.x.x.46 <-- to access
interface inside i change to brige-group 1....ip set to 203.x.x.32/28 ..
able to access 203.x.x.32/28 range only others 3 subnet cant...
i plan now to put 3 more cable from fw port to switch....for 3 more subnet and create 3 more BVI...
but for tranparent i cant setup IPsec VPN ? i have VPN in production now...
or should we focus on route mode ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide