02-07-2013 06:47 AM - edited 03-11-2019 05:57 PM
Client is changing ISPs'. They currently have a x.x.x.x/28 network and they are using 10 of the available IPs'. The new provider wants to give them a /30 network, 1 IP for the Outside interface and the other will be their equipment, my gateway. And then redirect specific address, /32, as needed to the PIX for my remaining outside Static IP needs. The PIX is only licensed for 3 Maximum Physical Interfaces. Am I correct in thinking that the PIX will not support this configuration?
Solved! Go to Solution.
02-07-2013 08:36 AM
Hi,
To give you an example.
We have several Cisco FWSMs and ASA5585-X devices that hold multiple Security Contexts (Virtual firewalls)
For example one of our customers has an /29 network allocated from RIPE.
This customer has now exhausted that small subnet for all his Static NATs for servers.
They then request for additional public IP addresses. We then route additional host IP addresses when needed towards the customer firewall "outside" interface IP address and configure the Static NAT using that new public IP on the customer firewall and make the required ACL configurations and everything works just fine.
To give you a simple configuration on the FWSM (Firewall Services Module) and Core C6500 series device
Where
Core Router
interface Vlan3000
description Customer FW Outside
ip add 1.1.1.1 255.255.255.240
ip route 2.2.2.1 255.255.255.255 1.1.1.2
ip route 2.2.2.2 255.255.255.255 1.1.1.2
ip route 3.3.3.1 255.255.255.255 1.1.1.2
ip route 3.3.3.2 255.255.255.255 1.1.1.2
FWSM / Firewall Context
interface Vlan3000
description Customer FW Outside
nameif outside
security-level 0
ip add 1.1.1.2 255.255.255.240
route outside 0.0.0.0 0.0.0.0 1.1.1.1
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 2 1.1.1.3
nat (inside) 2 10.10.20.0 255.255.255.0
static (inside,outside) 1.1.1.4 10.10.10.10 netmask 255.255.255.255
static (inside,outside) 1.1.1.5 10.10.20.10 netmask 255.255.255.255
static (inside,outside) 2.2.2.1 10.10.10.11 netmask 255.255.255.255
static (inside,outside) 3.3.3.1 10.10.20.11 netmask 255.255.255.255
And so on..
- Jouni
02-07-2013 06:58 AM
Hi,
It should be possible.
With the ASA firewalls and new software levels 8.3/8.4 there have been some setups that have been problematic because of changes to the software BUT to my understanding this setup should be ok in your case.
- Jouni
02-07-2013 07:20 AM
The interface is currently configured as:
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.62 255.255.255.240
This gives me x.x.x.49-62 as usable interfaces. And by subnetting rules, Ethernet0 knows the addresses within that range are on it's network. I have at least 10 Statics in use.
The New config will look like:
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.226 255.255.255.252
I am not sure how I can staticly map to a x.x.x.230 255.255.255.255 outside of the Ethernet0 network?!?!?!?!
02-07-2013 08:36 AM
Hi,
To give you an example.
We have several Cisco FWSMs and ASA5585-X devices that hold multiple Security Contexts (Virtual firewalls)
For example one of our customers has an /29 network allocated from RIPE.
This customer has now exhausted that small subnet for all his Static NATs for servers.
They then request for additional public IP addresses. We then route additional host IP addresses when needed towards the customer firewall "outside" interface IP address and configure the Static NAT using that new public IP on the customer firewall and make the required ACL configurations and everything works just fine.
To give you a simple configuration on the FWSM (Firewall Services Module) and Core C6500 series device
Where
Core Router
interface Vlan3000
description Customer FW Outside
ip add 1.1.1.1 255.255.255.240
ip route 2.2.2.1 255.255.255.255 1.1.1.2
ip route 2.2.2.2 255.255.255.255 1.1.1.2
ip route 3.3.3.1 255.255.255.255 1.1.1.2
ip route 3.3.3.2 255.255.255.255 1.1.1.2
FWSM / Firewall Context
interface Vlan3000
description Customer FW Outside
nameif outside
security-level 0
ip add 1.1.1.2 255.255.255.240
route outside 0.0.0.0 0.0.0.0 1.1.1.1
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 2 1.1.1.3
nat (inside) 2 10.10.20.0 255.255.255.0
static (inside,outside) 1.1.1.4 10.10.10.10 netmask 255.255.255.255
static (inside,outside) 1.1.1.5 10.10.20.10 netmask 255.255.255.255
static (inside,outside) 2.2.2.1 10.10.10.11 netmask 255.255.255.255
static (inside,outside) 3.3.3.1 10.10.20.11 netmask 255.255.255.255
And so on..
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: