Solved: Ah right, that makes sense.

tom0000037 · ‎11-13-2015

Hello Everyone,

I am working with an ASA 5508. I am trying to pass a /27 subnet coming from a 2811 into the ASA then out of one interface to a 2960 where a vlan will distribute the network to about half a dozen servers.

A simple illitstation of what I am trying to accomplish is attached.

Any advice, suggestions or idea is much appreciated. Thank you.

Jon Marshall · ‎11-13-2015

Two options -

1) use the firewall in transparent mode

2) use private IPs on servers and use NAT on firewall

Jon

View solution in original post

Jon Marshall · ‎11-13-2015

Two options -

1) use the firewall in transparent mode

2) use private IPs on servers and use NAT on firewall

Jon

tom0000037 · ‎11-13-2015

Thanks for that Jon, do you know of any negatives of using the Firewall in transparent mode?

Jon Marshall · ‎11-13-2015

Never done it myself so can't really comment too much.

I know some people really don't like it and think it causes more trouble than it is worth but doesn't mean it won't work so don't rule it out as an option.

There are obviously limitations eg. you can't terminate VPNs on it etc but it really depends on what you need.

If you really need the servers to be using public IPs then it is a solution altthough I forgot to mention you could actually break down your /27 into 2 x /28 and then use one of them for the router to firewall connection and one for the server subnet.

You would then run the ASA in routed mode and the router would need a route for the server subnet pointing to the ASA.

Trouble is you are wasting IPs that way although you could use the spare IPs for NAT if you then had other internal devices that could use private IPs.

And you could break the /28 into a /30 and /29 which gives you another useable subnet with public IPs.

As with most things in networking there are often multiple solutions and it's as much about what you intend to do in the future as what you are doing now.

Jon

tom0000037 · ‎11-13-2015

Ah right, that makes sense. Unfortunately I will need to set up a VPN in the future off of this device so I think transparent mode is out of the question. However you make a great point breaking up the subnet. I was thinking about that at first but wanted to explore all options. I think that may be the solution after all.

I really appreciate your time an advice. I will let you know how everything pans out.

tom0000037 · ‎11-13-2015

Jon,

Will I need to do any additional routing on the ASA between the interfaces for example having the /30 point at the /28 (server subnet)

Thanks again.

Jon Marshall · ‎11-13-2015

Yes you would.

Your ASA would need a default route pointing to the router and the router would need a route for the /28 subnet pointing to the ASA.

The ASA would automatically route between it's interfaces as they are directly connected

Jon

tom0000037 · ‎11-16-2015

Makes sense. Thanks again for the response Jon.

Much appreciated.

Passing a subnet through multiple interfaces ASA 5508