Cisco asa 5510 with private ip adress on wan

power.srvi · ‎02-09-2012

hi all,

i recently get high speed link for my compagny to replace the old frame realy.

the internet service provider gave me a non routable range to set on my asa like this : cisco asa (192.168.70.46/30)<--------->ISP(192.168.70.45/30)

then the ISP tell my public ip wan range was x4.23.209.166/29.

i made this kind of configuration works when i put a cisco routeur in befor the cisco asa like this:

cisco asa ( x4.23.209.166/29)<---eth0-->(x4.23.209.167/29 on eth0)=cisco1841= (192.168.70.46/30 on eth 1)<--------->ISP(192.168.70.45/30)

it is possible to make this works on cisco asa 5510 without putting a router in front ?

if it works problem can happen to establishing vpn from the outside interface having a private ip ?

regards

Richard Burts · ‎02-09-2012

I would think that it would work well if you put 192.168.70.46 on interface outside of the ASA and put x4.23.209.166/29 on interface inside of the ASA.

HTH

Rick

HTH

Rick

power.srvi · ‎02-10-2012

hello Mr BURTS,

but when i will plug my lan cable ?

on the sénario that you sayed, we are using the outside for the ISP-router<---->asa and the inside to take the wan ip

Richard Burts · ‎02-10-2012

There are several ways that you could use the block of public addresses given to you by the provider. You could use it on the inside interface of the ASA, as I suggested before, and let the hosts in the network use that address space. Or you could use the public addresses for use in a DMZ on the ASA. Or you could use the block of public addresses as a pool on the ASA and do Address Translation on the ASA using those addresses. So if my first suggestion does not fit well with your expectations then perhaps suggestion two or three will be better.

HTH

Rick

HTH

Rick

power.srvi · ‎02-10-2012

Mr BURTS,

your answers still the same: very useful.

so the second senario is good, i think i will use the outside interface for the isp private adresses, then the inside for the public ip adress block and finally the DMZ will be the interface for the lan.

i have a question about this sénario: so physiclly the outside port will be wired, the DMZ port TOO, but the inside port ( wich i will put the public ip adresses) will be empty, with this configuration it will be work ?

now just a question about the last senario, if i make this senario, L2L VPN can work ?

regards

Richard Burts · ‎02-10-2012

I do not understand your comment (or question) about:

but the inside port ( wich i will put the public ip adresses) will be empty,

Are you saying that there will not be anything connected to this interface? You should be able to use the addresses for Address Translation. And I believe that L2L VPN should work. Note that the VPN peering would not be to the outside interface (which has a private address) but would be to one of the public addresses.

HTH

Rick

HTH

Rick

power.srvi · ‎02-10-2012

ok MR BURTS,

i see clearly now, i will try it and give a feed back.

Thanks a lot