I'm looking for a 'new' solution wich i can't figure out...
First of all, I use a Cisco Asa 5505 with ASDM 6.1.
And we own from our ISP a public router IP with 5 useable public sub-IPs.
(IPs are just made up...)
Asa Router : z.z.80.21
ISP Gateway: z.z.80.20
Useable IPs: z.z.81.41 - z.z.81.45
The Old config was very basic but effective.
We had setup 3 interfaces: Outside (z.z.80.21), DMZ (x.x.100.x) and Inside (x.x.1.x).
And I used 'Nat Policy rules' in the DMZ from server to Outside at an useable IP (z.z.81.41).
This way we could use from Inside the Public IPs and was the NAT working correct.
But also the Internet could rage our servers trough the NAT.
(We have more Servers then Public IPs AND we need NAT because not all servers publish
there service on the same port we want to publish on the public internet)
Now we have an new server who needs it's own dedicated public IP without a NAT!
(It's a VOIP Asterisk Server)
And I'm also advised that this server needs this dedicated public IP (z.z.81.45)
configured locally in it's network configuration!
(so not like the other servers wich have an IP in the x.x.100.x range)
I did try a lot of things. And the best way I did come up with is the following.
First I made an extra interface called DMZAsterisk with the public subnet we own (z.z.81.z).
Connected the A-Server and added a Static Nat Rule from the DMZAsterisk to Outside
with both the z.z.81.45 IP.
This way almost everything works like before, except we can't access our DMZ severs
anymore from the Inside with there public IP adresses. And DNS isn't a solution because
we also need the NAT (port redirection) to work!
Also I get why it's not working. Because Inside traffic is routed to the DMZAstrisk interface.
And the servers arn't there :-)
Thx in advanced!!!
can you post full configuration ? what i understood from what you have mentioned -
you need a new server on public IP and range was already there ,if you create any new interface and moved that Public IP range on that . Then you can not do NAT with DMZ. If you need need access for DMZ then port forwarding can solve the issue.
I can't post the config at the moment, because it isn't
till tomorrow (+1 GMT) when I'm back at the office...
BUT, I understand that I can't NAT anymore for that one
public IP address I use for Asterisk (z.z.81.45). But I still
can NAT the other four IP addresses...
With the new configuration (now in production) everything
also works fine!
Except from the Inside to the DMZ trough the NAT by there
four public IPs. (z.z.81.41; z.z.81.42; z.z.81.43; z.z.81.44)
And that's the big problem for us....
NAT works between two interfaces. If you have configured full range on new interface you can not NAT with DMZ servers. However you can still access DMZ servers using real ip address of them from inside zone.
I know... I figured that out :-)
And using the real ip addresses isn't an option in our situation...
Is there a way to trick the ASA?
So traffic from the inside-interface to the four public IPs go the same
route as the inbound internet traffic?
Or can I just isolate that one public IP (z.z.81.45) for that one server
on that DMZAsterisk-interface. At the moment this interface is configured
with the settings of our public subnet... That's way the ASA thinks requests
for the other four public IP has to be dillivered at the DMZAstrisk interface.
And when I disable that interface, everything is just fine again...
(our old configuration)
I can't have a NO....
I have to come up with a solution....
Even if I need an extra router or hardware....
Do you maybe know why I can't give my Asterisk Server a
private IP address and "not NAT" this totally 1:1 with one public IP address?
Then I can add this server just to our DMZ...