Hi denzelbell I am facing the

denzelbell · ‎01-30-2013

How To Using Two Different Public IP Address on My DMZ with ASA 5520

Postado por jorge decimo decimo em 28/Jan/2013 5:51:28

Hi everyone out there.

can any one please help me regarding this situation that im looking for a solution

My old range of public ip address are finished, i mean (the 41.x.x.0 range)

So now i still need to have in my DMZ another two servers that will bring some new services.

Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.

So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public

ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29

So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ

on Cisco ASA 5520 v8??

How my configuration should look like?

I was told about implementing static nat with Sub Interfaces on both Router and ASA interface

Can someone please do give me a help with a practical config sample please. i can as well be reached at ttchipa@gmail.com

attached is my network diagram for a better understanding

I thank every body in advance

Jorge

Jouni Forss · ‎01-30-2013

Hi,

So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.

Now you have gotten a new public IP address range from the ISP and want to get it into use.

How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?

To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.

So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.

Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.

Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?
- This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?
- This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse

Of the above ways

The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)

Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more

I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.

- Jouni

denzelbell · ‎01-31-2013

Hello dear Jouni.

First of all i should thank you so much for your time and cooperation

and for being so kind and precise and willing to help sorting out this issue of me.

Bellow is unswering to some of your quaries:

Hi,

Q: So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.

A: YES correct

Q:

Now you have gotten a new public IP address range from the ISP and want to get it into use.

How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?

A: Yes indeed, i want to NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current two servers already on production on DMZ right now as in the image attached)

Q:

Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?

A: Yes

This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall

A: yes indeed sir its exactly here where i want to focuss, i think i want to go with the first way as referred by you as you said, seems to be good one, Coz right now on the DMZ i got already on production two Server, the www and the SMTP or Exchange server

with 41.X.X.2 and 41.x.x.3 respectively with their private ip addresses as well.

However i got a need for another two services that i will bring in the DMZ two server, with a different range of public ip addresses (because the range of 41.x.x.x. are already finished) so the isp gaves something like this: 197.216.1.24/29

to be addressed at the two new server as on the image.

So can you please tell me how this configuration should look like in the reall world? in the machines? how do i creat and where the referred subinterface?? Where do i Configured then and how? by step by step.

I should admit that im still in the learning process of knowing ASA better. if you need any further info please let me know

Please help

Jorge

Jouni Forss · ‎01-31-2013

Hi,

I was originally asking how you were going to use the new public IP address.

Looking at the above answers you gave, it says that you agree with both ways. So which way is the one you want to go with?

You can use the new public IP address range in ONE of the following ways

You can configure the public IP addresses as NAT IP addresses on the ASA while the actual servers have private IP addresses

OR

You can configure the IP address range on a new interface or subinterface on the ASA and use rest of the public IP address range on the actual servers directly (this new interface should naturally be towards the LAN/DMZ devices no the Internet devices)
- If done this way I would need to know if you have a free physical interface on the ASA to be used for this purpose. IF you are using subinterface I would need to know if you have an existing trunk? Since if you dont have an existing trunk, changing an excisting normal interface as trunk is a lot more work and causes some downtime for the networks behind the interface to be changed to trunk

- Jouni

denzelbell · ‎01-31-2013

Hello Master Jouni.

I must thank you so much for your time and cooperation, for being able to help me.

I hope this time im clear enough (hope) to make you understand my point.

But please do let me know according to your wide experience, whats the best way and practice.

Bellow are the answers to your quations:

Q: You can use the new public IP address range in ONE of the following ways

You can configure the public IP addresses as NAT IP addresses on the ASA while the actual servers have private IP addresses

A: Exactly sir.. i think thats what i want indeed, coz right now i think thats how the asa is configured with the 41 public ip add with the two server on dmz, while they still have their private ip address.

So thats how i think i want for the two new servers that i will need to add them in the same dmz, thogh this two new server are the one that will use the 197 as their public ip addresses.

Hope i made it clear to you by now, but please do ask me any additional quation in order to help you in helping me.

However, i think this is the best way i want. So how do i go about it sir??

the same quations: how do i do it? on real world or in the machines acording to my picture and having in consideration that those two new server will need to be accessed from outside user or internet users and internal users as well.

Once again sir, thank you so much

Please help

Jorge

crazy_boy · ‎03-27-2014

Hi denzelbell

I am facing the same problem like you.

I talked with my ISP and then they created a default route for my new public ip range ... default route is configured by an empty public address of my previous ip network. now i am again facing problem. Now facing problem with this new public ip range, i need the public ip active to allow our servers visible from outside world also. Both of wan is coming to our system through 1 port (1 cable ).

Master Jouni, Please guide me what i need to do to my system for this new public IPs.

Please help ..

Thanks in advance...

How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

How To Using Two Different Public IP Address on My DMZ with ASA 5520