Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2031
Views
10
Helpful
7
Replies

Cisco ASA FirePower WAN to DMZ IP Passthrough (No NAT)

Go to solution
TheCyberMan
Level 1
Level 1

‎04-10-2019 07:34 AM

Good Afternoon All,

 

I've got an ASA 5516 FirePower here on site running 9.10(1).

The outside interface is allocated a /29 from the ISP, let's call it 1.2.3.112/29.

 

The ASA outside (Gi1/1) address is 1.2.3.114/29 and the ISP router is 1.2.3.113/29.

We've got a few site-to-site IPSec tunnels bonded to this ASA and our internet bound traffic goes out through it.

 

Now what I'm wanting to do is pass through one of the un-allocated WAN IP addresses, say 1.2.3.116 to another interface on the firewall without using NAT for a test system. Effectively:

 

Internet -------- ISP Router (1.2.3.113/29) -------- (1.2.3.114/29) ASA ---------- Test Device (1.2.3.116/29)

 

I have Gi1/6 spare on the inside.

 

The reason I want to do this is for testing an IPSec site-to-site on a new firewall being built.

 

The current ASA is in in routed mode and I need to avoid disruption to the extant traffic and IPSec connections.

 

I've looked around on this forum and generally on the internet and not managed to find a solution.

I tried setting up a DMZ on Gi1/6, setting up DMZ and OUTSIDE interface rules to permit, and adding a no-NAT rule but this didn't work.

 

Wireshark on a test device showed that I wasn't getting an ARP response, so I set up static proxy ARP for the gateway IP with the ASA interface MAC which resolved this but still didn't get traffic passing.

 

Does anyone have any advice on doing this without resorting to using an RFC 1918 private address on the DMZ with 1-1 NAT?

 

Much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to TheCyberMan

‎04-28-2019 09:11 PM

No you can't terminate a vpn connection on a bvi interface even on asa code.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-10-2019 09:31 PM

Hi

You can't have 2 interfaces within the same subnet, it won't work.

Why you don't want to use nat?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
TheCyberMan
Level 1
Level 1
In response to Francesco Molino

‎04-12-2019 01:19 AM

Francesco,

 

We want to achieve this without NAT to give a more realistic simulation of the deployment scenario for the test firewalls without having NAT-T and double-NAT considerations in our tests which won't be there when the units are deployed out to their destination sites.

 

Ideally I don't want to have to put a switch in between the ISP router and the ASA to be able to make use of the /29.

 

I wonder if I could move the outside interface address to a BVI and then make a few interfaces on the ASA part of a bridge group for the outside with suitable firewall rules then use these interfaces for test devices that need WAN addressing?

 

There would be some disruption in doing this but it's not necessarily a problem which can't be overcome.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to TheCyberMan

‎04-13-2019 06:21 PM

You can try using BVI but it will require to change your actual configuration (nat for example).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
TheCyberMan
Level 1
Level 1
In response to Francesco Molino

‎04-15-2019 01:26 AM

Thanks Francesco,

 

Looks as though any method I try and use to achieve this is going to cause service disruption.

I had thought about using multiple contexts but its a lot of administration to achieve a simple task.

 

I will probably come in out of hours and try the BVI config otherwise I will just take the plunge and throw a switch in on the WAN side.

 

Thanks,

 

Phill

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to TheCyberMan

‎04-21-2019 09:21 PM

Let me know if you need any help but the result, as you said, will be an interruption with some work (little or more) depending on which solution you'll implement.
The WAN switch will be the less intrusive for me.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
TheCyberMan
Level 1
Level 1
In response to Francesco Molino

‎04-26-2019 08:47 AM

I looked at doing a bridge on a spare 5516-X I have running FTD but I found this configuration won't work, at least not on FTD as you cannot bind the local interface for an IPSec Site-to-Site VPN to a BVI. Not sure if this is true of the conventional ASA software too.

 

It will be easier to just use a switch.

Thank you for your help though.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to TheCyberMan

‎04-28-2019 09:11 PM

No you can't terminate a vpn connection on a bvi interface even on asa code.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card