10-13-2010 07:46 AM - edited 03-11-2019 11:53 AM
Hello,
I've just received my CISCO ASA5510 in order to replace My SonicWall Pro 100 but i've one Problem, i explain :
Actually ,the network has a LAN, a WAN and a DMZ.We 've got a 6 public IP block ( xx.xx.xx.xx / 29 ).
I have two servers in the dmz using 2 public IP's.The DMZ and the WAN shared the same Subnet. ( DMZ has no NAT enabled)
With the Cisco,we can't assign Ip with the same subnet on 2 Interfaces.(network Overlapping)
I've read that one solution is to split my subnet in half. So I use a subnet xx.xx.xx.xx / 30.
As a Result,my available Public IPs is reduced to 4.
2 are use by WAN interface and DMZ interface. 1 is use by the Router.In this case,one server in the DMZ has no more IP available.
Is there any other solutions ?
Thanks
10-13-2010 08:07 AM
Hey,
I am not sure if this will work for you but one way i can think of implementing this will be to use multiple contexts.
1) In one context, assign the inside and outside interfaces and use ASA in routed mode
2) On the other context, you can use the DMZ and outside interface with ASA in "transparent" mode.
Again, this will require a complete redesign of your network in a way and may involve quite some deliberation on how it can be implemented if it will work for you but we can always give this a thought and see if we can get this working.
Thanks and Regards,
Prapanch
10-22-2010 02:23 AM
Thanks you for your reply.
I've read that we can't run the firewall with 2 Contexts in which : The First one is in Routed Mode , the other in Transparent Mode.
True ?
Thanks.
10-22-2010 07:47 AM
Hi,
To the best of my knowledge you can run it that way. Where did you read that it can not be? Please share the link.
Thanks and Regards,
Prapanch
10-22-2010 08:12 AM
Maybe i'am Wrong,
I read it in the CLI Guide , Page 54
Setting Transparent or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall
mode.
For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode
in the system execution space.
10-22-2010 08:28 AM
Hi,
Yes that indeed is the case. Sorry about that. Got confused between FWSM and ASAs. FWSM does allow you to configure mode of every context which is not possible on the ASA.
Now, for your original requirement, we can still achieve what you need using "static" commands.
Assuming your server public IP addresses are 1.1.1.10 and 1.1.1.11. On the DMZ, we will have to create a new address space for the servers because we can not have two interfaces on the ASA on the same subnet. So, let's assume you assign the DMZ interface an IP of 10.1.1.1 and the servers IP addresses of 10.1.1.10 and 10.1.1.11.
So for outside users when trying to access these servers, we can create "static" of the form below:
static (DMZ,outside) 1.1.1.10 10.1.1.10
static (DMZ,outside) 1.1.1.11 10.1.1.11
Simlarly, when your inside isers try to access the server using the public IP addresses, we can use the following statics to allow that:
static (DMZ,inside) 1.1.1.10 10.1.1.10
static (DMZ,inside) 1.1.1.11 10.1.1.11
This should ensure the transparency to users without them having to change any setting for the servers. Let me know if this is clear!!
Thanks and Regards,
Prapanch
10-25-2010 01:46 AM
Hi,
I am ok with the static commands but i don't understand the IP adress Configuration.
I must create new adress space on the firewall but what subnet should I use on the DMZ interface and public Servers.I use Private IP or Public ? and what about reverse command for (Outside,DMZ) ?
Thanks.
10-25-2010 02:12 AM
Hi,
So you will need to use a Private address space for the DMZ subnet. The public IP addresses you have in mind for the servers (the ones the outside and inside users will access the servers using) will be specified in the "static" commands.
In the commands i have suggested, 10.1.1.x is the private address space fopr the DMZ subnet and 1.1.1.x is the public IP addresses for the server which they will be accessed using.
You do not need any static for (outside,DMZ).
Hope this clears things out!!
Thanks and Regards,
Prapanch
10-25-2010 09:03 AM
Ok understand.
Thank You. I will try this Solution.
10-25-2010 09:19 AM
Sure. Do let me know how it goes!!
Cheers,
Prapanch
12-13-2010 11:16 AM
Hi,
I try the solution in an environnement production and there is something wrong.
No communication with the Outside from the Lan and From the DMZ.I couldn't joined my router.Maybe is it Static Route to add ?
I resume:
LAN interface: 192.168.1.254/24 ( with Dynamic NAT to use WAN interface to go on the internet) )
DMZ interface : 10.1.1.1 ( with Static NAT as you said )
WAN interface : 194.x.x.x / 29
Router : 194.x.x.y /29
The two are directly linked
Access Lists from LAN and DMZ allow to joined the Outside.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide