Hi, I have a few devices that the manufacturer told us we have to set with a public IP (No Natting) We have Internet ->ASA5510-> Switch 3550 with 3 vlans. Up to now we have always use Natting to configure internet access to specific devices. Now we have this requirement and we don't know what to do. can anyone help here, please.?
I heard setting up a witch with one VLAN connected to the internet and all other internals is a bad idea. that was the only Idea we had. I don't know much routing, so any help will be appreciated.
I guess the first question would be how many public IP addresses or subnets do you have allocated from your ISP and in which kind of use are they at the moment?
I am not sure if I understood you correctly but if I did you were wondering if you could use the devices outside your firewall directly configured with public IP address? This would naturally leave them completely open and without protection from your firewall.
As I said, first we would need to determine if you have enough public IP addresses or subnets to allocate them for this use only and use the public IP addresses directly inside your LAN network. Where the firewall could provide protection for them.
I have 5 available IP addresses, one is needed for the ASA to be able to do VPN and one for another device that has to be on the internet with a public IP address throguh ethernet cable. I was thinking to configure one VLAN on the 3500 for those devices on the internet and the other two VLANs for internal hosts. I have another device that is already using NAT through the ASA5510 and is been used as a voip server (softswitch) and it has to stay like this to make sure it stays protected.
Also I don't see this configuration working logically at time to do routing. I don't know who will be doing routing ASA or 3500?
Seems to me that you are bound to end up with a setup where the firewall wont be protecting the hosts/devices that require the public IP addresses directly without NAT.
The typical way we do these kinda of setups for our customer is that the customer is provided with an extra public subnet (in addition to the one between ISP gateway and the customer L3 device) that the ISP routes towards the customer firewall.
The customer (or ISP if we manage the firewall) will then configure this public subnet on their firewall as a DMZ or this public subnet is further routed from the firewall towards some LAN L3 Switch which will then host this public subnet on some Vlan interface.
The firewall is in the end configured with NO NAT for this network so it can pass the firewall without any translation.
It would seem to me that unless you are able to get an additional subnet from the ISP, you are bound to end up with a "special setup" to achieve what you are looking for.