Two WAN assigned Prefix from ISP - need two FW?

Steffen Frederiksen · ‎04-08-2013

Hi All

I've just got a new Internet Access line installed from my ISP. I need 6 public IP addresses, and therefore the ISP has assigned me a /30 and a /29 range.

/30 subnet is between my FW outside interface and ISP edge router.

/29 subnet is from the ISP static routed to my FW outside IP address.

But since I only has one FW right now (a ASA 5505) i cannot see how i can route the /29 subnet.

If i has two ASA 5505 i could use the /29 subnet as a DMZ network between the two firewalls, and direcly connect hosts that would need a public ip to this DMZ network. But is it possible to use it with only one firewall, and some how make a 1:1 NAT to internally hosts that would need a public ip (not just overload PAT of the outside interface)

Hopefully you understand my question .. :-)

Best Regards, Steffen.

Jouni Forss · ‎04-08-2013

Hi,

You should be able to use the second Public Subnet /29 just fine on the ASA since the ISP has routed it towards your ASA outside IP address.

You can configure NAT configuration using the /29 address range on the ASA "outside" interface normally even though the IP addresses used dont belong to the subnet connected to the "outside" interface.

- Jouni

Steffen Frederiksen · ‎04-08-2013

Hi Jouni

thanks for the reply!

Can you in more detail describe how i make the NAT setup for the /29 subnet? I would like a 1:1 NAT, not some Port Address Translation if you can follow me?

Jouni Forss · ‎04-08-2013

Hi,

Can you let me know what is the software version of your ASA?

I have a document about the ASA software versions 8.3 and newer if you want to check out.

https://supportforums.cisco.com/docs/DOC-31116

It also has some information related to what options you have when using multiple public subnets.

If you have ASA version 8.2 or older then the above documents NAT configurations wont suite you.

- Jouni