04-10-2019 07:34 AM
Good Afternoon All,
I've got an ASA 5516 FirePower here on site running 9.10(1).
The outside interface is allocated a /29 from the ISP, let's call it 1.2.3.112/29.
The ASA outside (Gi1/1) address is 1.2.3.114/29 and the ISP router is 1.2.3.113/29.
We've got a few site-to-site IPSec tunnels bonded to this ASA and our internet bound traffic goes out through it.
Now what I'm wanting to do is pass through one of the un-allocated WAN IP addresses, say 1.2.3.116 to another interface on the firewall without using NAT for a test system. Effectively:
Internet -------- ISP Router (1.2.3.113/29) -------- (1.2.3.114/29) ASA ---------- Test Device (1.2.3.116/29)
I have Gi1/6 spare on the inside.
The reason I want to do this is for testing an IPSec site-to-site on a new firewall being built.
The current ASA is in in routed mode and I need to avoid disruption to the extant traffic and IPSec connections.
I've looked around on this forum and generally on the internet and not managed to find a solution.
I tried setting up a DMZ on Gi1/6, setting up DMZ and OUTSIDE interface rules to permit, and adding a no-NAT rule but this didn't work.
Wireshark on a test device showed that I wasn't getting an ARP response, so I set up static proxy ARP for the gateway IP with the ASA interface MAC which resolved this but still didn't get traffic passing.
Does anyone have any advice on doing this without resorting to using an RFC 1918 private address on the DMZ with 1-1 NAT?
Much appreciated.
Solved! Go to Solution.
04-28-2019 09:11 PM
04-10-2019 09:31 PM
04-12-2019 01:19 AM
Francesco,
We want to achieve this without NAT to give a more realistic simulation of the deployment scenario for the test firewalls without having NAT-T and double-NAT considerations in our tests which won't be there when the units are deployed out to their destination sites.
Ideally I don't want to have to put a switch in between the ISP router and the ASA to be able to make use of the /29.
I wonder if I could move the outside interface address to a BVI and then make a few interfaces on the ASA part of a bridge group for the outside with suitable firewall rules then use these interfaces for test devices that need WAN addressing?
There would be some disruption in doing this but it's not necessarily a problem which can't be overcome.
04-13-2019 06:21 PM
04-15-2019 01:26 AM
Thanks Francesco,
Looks as though any method I try and use to achieve this is going to cause service disruption.
I had thought about using multiple contexts but its a lot of administration to achieve a simple task.
I will probably come in out of hours and try the BVI config otherwise I will just take the plunge and throw a switch in on the WAN side.
Thanks,
Phill
04-21-2019 09:21 PM
04-26-2019 08:47 AM
I looked at doing a bridge on a spare 5516-X I have running FTD but I found this configuration won't work, at least not on FTD as you cannot bind the local interface for an IPSec Site-to-Site VPN to a BVI. Not sure if this is true of the conventional ASA software too.
It will be easier to just use a switch.
Thank you for your help though.
04-28-2019 09:11 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide