I agree with you 100%.  It's how we set up VPN to other companies.

However this one is very firm in the fact that we must use their hardware, 2 for redundancy I guess.

I am just thinking of NATing the public IP to a private IP for them.

Just have to brush up on my NATing...

Hi,

I personally run into these situations too and more than one occasion the users start to run into different kind of problems when they got additional hardware on their LAN that we dont manage.

If you HAVE to do this as you described I would need some additional information

• What software version is your ASA?
• Do you have a Base License version of the ASA5505?
  • Can confirm this with "show version" command
• In the original post, do you mean that you have a small link network (/30) with the ISP and that the ISP has also provided you with a small subnet for NAT purposes (/29)

The first thing mentioned above would be needed to confirm what NAT format to use.

Otherwise if the following 2 are true then there should be no problem using the additional IP address range on your ASA5505 firewall.

There are 2 ways to go.

Option 1.

• Make sure that the ISP has routed the additional /29 network towards your ASA5505 "outside" IP address
• Now just configure the needed NAT configurations (can naturally help with the configurations when I know the software level of the ASA)
  • Notice that the additional public subnet doesnt need to be configured on any interface of the ASA. You can just configure NATs using those IP addresses as usual. The critical thing here is that the ISP has routed the network towards your ASA and HAS NOT configured this additional /29 subnet on their gateway as a secondary network.

Option 2.

• Even if you have the ASA5505 at Base License you can still configure 3 interfaces on the ASA5505. The one thing to notice here is that you need to configure the "no forward interface Vlanx" to the third Vlan interface which will prevent this third Vlan from connecting to networks behind the interface Vlanx. This however doesnt stop Vlanx from connecting to networks behind third Vlan interface.
  • This might provide a possibility to use the WAN side of the VPN routers on the third interface of the ASA since they you can limit their connectivity to the "inside" Vlan and this would mean they could still connect to "outside"

Hopefully I made any sense. Please ask more if I was unclear about something above (which might be possible )

- Jouni

Jouni,

Thank you for the reply.  It was very informative and helpful.

As to your questions:

1.Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 6.2(1)

2. Yes Base license with unlimited users. (No Security Plus)

3. We originally had a /30 subnet from the ISP.  This would now allow us to have 2 spare public IPs so we requested additional IPs.  They then gave us the /29 network to use. 

I am leaning toward option 1.  I was able to do a quick test using a basic NAT rule:

static (inside,outside) 2.1.2.219 192.168.5.29 netmask 255.255.255.255

I was then able to ssh to a host with the internal IP addess 192.168.5.29 from a server on the cloud using the public IP. 2.1.2.219.

I think the biggest hurdle for me will be coming up with the necessary NATing rules.  Especially since the 861's will have a seperate private network (10.64.0.0/13) and I will need to allow for traffic between the two networks as well as traffic from the 10.64.0.0/13 network to have access to the internet.