Hi All,

First post on the Cisco forums.... so hi to everyone here, looks like a great community!

I would be interested to hear peoples thoughts on a design I am currently working on, essentially we are starting to move a lot of our customers into the datacenter, we are starting small and hope to grow on what we envisage to be a success.

Initially we will deploy an ASA5510 w/ Security Plus, and a Catalyst 2960. I intend to have each customer in their own VLAN in RFC1918 address space, with the ASA providing the gateways for each VLAN, by configuring sub interfaces on the ASA and setting the port on the 2960 as a trunk port.

I will also have a seperate management VLAN to connect all the remote server management cards to, most likely a /28 or /27.

Now my question is the best way to handle the public IP address allocations for our customers. Where I have done similar installations in the past the WAN link of the router would usually be a /30 and we would have a bigger allocation routed to us, and we would then break this down into /30 ourselves and customers would install their own firewall. In this setup we are essentially providing a managed/shared firewall for all as opposed to just routing addresses to customers own firewalls. Would the most appropriate way to handle this be to have our entire public allocation range on the WAN side of the ASA (so say a /26) and just alias and NAT these addresses on the WAN side using the subinterfaces for the customer VLANs? Or is there a better way to approach this? What would be the 'best practice' recommendation?

Really interested to hear peoples views on this scenario, and thanks for any replies in advance.

- Jamie