cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2374
Views
10
Helpful
7
Replies

Cisco ASA FirePower WAN to DMZ IP Passthrough (No NAT)

TheCyberMan
Level 1
Level 1

Good Afternoon All,

 

I've got an ASA 5516 FirePower here on site running 9.10(1).

The outside interface is allocated a /29 from the ISP, let's call it 1.2.3.112/29.

 

The ASA outside (Gi1/1) address is 1.2.3.114/29 and the ISP router is 1.2.3.113/29.

We've got a few site-to-site IPSec tunnels bonded to this ASA and our internet bound traffic goes out through it.

 

Now what I'm wanting to do is pass through one of the un-allocated WAN IP addresses, say 1.2.3.116 to another interface on the firewall without using NAT for a test system. Effectively:

 

Internet -------- ISP Router (1.2.3.113/29) -------- (1.2.3.114/29) ASA ---------- Test Device (1.2.3.116/29)

 

I have Gi1/6 spare on the inside.

 

The reason I want to do this is for testing an IPSec site-to-site on a new firewall being built.

 

The current ASA is in in routed mode and I need to avoid disruption to the extant traffic and IPSec connections.

 

I've looked around on this forum and generally on the internet and not managed to find a solution.

I tried setting up a DMZ on Gi1/6, setting up DMZ and OUTSIDE interface rules to permit, and adding a no-NAT rule but this didn't work.

 

Wireshark on a test device showed that I wasn't getting an ARP response, so I set up static proxy ARP for the gateway IP with the ASA interface MAC which resolved this but still didn't get traffic passing.

 

Does anyone have any advice on doing this without resorting to using an RFC 1918 private address on the DMZ with 1-1 NAT?

 

Much appreciated.

1 Accepted Solution

Accepted Solutions

No you can't terminate a vpn connection on a bvi interface even on asa code.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni
Hi

You can't have 2 interfaces within the same subnet, it won't work.

Why you don't want to use nat?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco,

 

We want to achieve this without NAT to give a more realistic simulation of the deployment scenario for the test firewalls without having NAT-T and double-NAT considerations in our tests which won't be there when the units are deployed out to their destination sites.

 

Ideally I don't want to have to put a switch in between the ISP router and the ASA to be able to make use of the /29.

 

I wonder if I could move the outside interface address to a BVI and then make a few interfaces on the ASA part of a bridge group for the outside with suitable firewall rules then use these interfaces for test devices that need WAN addressing?

 

There would be some disruption in doing this but it's not necessarily a problem which can't be overcome.

You can try using BVI but it will require to change your actual configuration (nat for example).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks Francesco,

 

Looks as though any method I try and use to achieve this is going to cause service disruption.

I had thought about using multiple contexts but its a lot of administration to achieve a simple task.

 

I will probably come in out of hours and try the BVI config otherwise I will just take the plunge and throw a switch in on the WAN side.

 

Thanks,

 

Phill

Let me know if you need any help but the result, as you said, will be an interruption with some work (little or more) depending on which solution you'll implement.
The WAN switch will be the less intrusive for me.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I looked at doing a bridge on a spare 5516-X I have running FTD but I found this configuration won't work, at least not on FTD as you cannot bind the local interface for an IPSec Site-to-Site VPN to a BVI. Not sure if this is true of the conventional ASA software too.

 

It will be easier to just use a switch.

Thank you for your help though.

No you can't terminate a vpn connection on a bvi interface even on asa code.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card