01-17-2016 06:27 AM - edited 03-12-2019 12:09 AM
Hi
I have a requirement where i can assign the Public Pool IP Address to my LAN Server. I don't want to do one to one NAT.
ISP IP Address: 2.2.2.1 /30
ASA IP Address: 2.2.2.2 /30
ASA DGW: 2.2.2.1
Public IP Pool from ISP: 3.3.3.0 3.3.3.7/29
I want to assign one of the Public Pool IP Address directly to my Server, e.g. 3.3.3.1
Question:
What will be the ASA Configuration
What will be the Gateway of Server
I have also attached the topology I am looking for.
Thanks and regards
Solved! Go to Solution.
01-18-2016 12:37 AM
It looks to me like it is setting up a routed /30 subnet.
An easier config would be to create a DMZ and put 3.3.3.0/29 on it. Then put the servers you want to have public IP addresses directly into the DMZ with real IP addresses on them. Then no NAT for servers. Users can be NATed to the outside IP address of the ASA and life will be simple.
01-17-2016 11:16 AM
More than likely you wont be able to make this work. You need to figure out another way of doing this.
01-17-2016 12:34 PM
That's really weird, If ASA does not support this. I am really expecting more in ASA. Let's hope for the best. If i get someone who has done similarly earlier.
01-17-2016 12:37 PM
This is not an ASA issue. This is a fundamental and basic networking concept to do with IP routing. You have a fundamental issue with your network design preventing this configuration.
01-18-2016 12:15 AM
Customer has already the same implementation with DrayTek Router and we are going to replace the DrayTek with ASA. If ASA does not support the same feature, probably we have to stick with DrayTek just because of this feature.
01-18-2016 12:21 AM
Without NAT the only way to make this work is with a routed subnet to the server. I suspect things are not working as you think.
01-18-2016 12:25 AM
Here is the link, that's exactly how we configured the DrayTek. Similar behavior customer is looking for ASA.
http://www.draytek.com/index.php?option=com_k2&view=item&id=5660&Itemid=293&lang=en
01-18-2016 12:37 AM
It looks to me like it is setting up a routed /30 subnet.
An easier config would be to create a DMZ and put 3.3.3.0/29 on it. Then put the servers you want to have public IP addresses directly into the DMZ with real IP addresses on them. Then no NAT for servers. Users can be NATed to the outside IP address of the ASA and life will be simple.
01-23-2016 09:49 AM
Hi Philip
I am giving a shot as you mentioned.
!
interface Ethernet0/3
nameif Routed_LAN
security-level 0
ip address 3.3.3.1 255.255.255.248
Two Questions:
1st Question: What will be the Internet Route for this Interface. I tried to add two Routes but no benefit:
route Routed_LAN 0.0.0.0 0.0.0.0 2.2.2.1 (ISP Gateway)
ERROR: Cannot add route entry, conflict with existing routes
route Routed_LAN 0.0.0.0 0.0.0.0 2.2.2.2 (ASA IP Address)
%Invalid next hop address, it belongs to one of our interfaces
ASA Configuration:
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 2.2.2.2 255.255.255.252
route OUTSIDE 0.0.0.0 0.0.0.0 2.2.2.1 1
2nd Question:
What will be the Gateway of Server in Routed_LAN Subnet
Thanks.
01-23-2016 09:52 AM
The Routed_Lan wont need a gateway on the ASA, it will use the default route for the ASA to your ISP. Your ISP will need to route 3.3.3.0/29 via 2.2.2.2.
For a server plugged into the Route_Lan segment its gateway will be that of the ASA, 3.3.3.1.
Your new config will work perfectly.
01-23-2016 10:04 AM
I don't have any Server plug at the moment with Routed_LAN but I will give a try tomorrow. I am trying to configure it remotely.
I have enabled SSH for Routed_LAN Interface but I am not able to connect remotely:
ssh 0.0.0.0 0.0.0.0 Routed_LAN
I tried the following and here is the result:
MyFW# ping tcp Routed_LAN 8.8.8.8 53
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 8.8.8.8 port 53
from 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/6 ms
MyFW#
01-23-2016 10:19 AM
Routed_Lan is not your connection to your ISP, correct? Your ISP connects via your Outside IP address 2.2.2.0 /30, correct?
If you want to connect to the ASA from the Routed_Lan then use:
ssh 0.0.0.0 0.0.0.0 Routed_LAN
If you want to connect from the outside world then use:
ssh 0.0.0.0 0.0.0.0 outside
If you want to connect from inside of the network then use:
ssh 0.0.0.0 0.0.0.0 inside
The interface says where the SSH traffic must come in from.
01-23-2016 10:25 AM
Hi Philip
Routed_LAN is not my connection to ISP. ISP connects via Outside IP Address 2.2.2.0/30.
I will give a shot tomorrow by connecting the server with Routed_LAN. Thanks for all your sincere help.
01-23-2016 10:24 PM
Hi Philip
I connected a Server and everything worked like a charm.
Thanks a lot and really appreciate all your sincere help.
Stay blessed.
01-23-2016 10:45 PM
You're welcome. I hope you'll enjoy your change to the ASA platform. It is a much nicer config having it work this way as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide