Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2176
Views
0
Helpful
3
Replies

Placing static routes on DMZ hosts - ASA 5510

davidbirchell
Level 1
Level 1

‎10-20-2010 07:32 AM - edited ‎03-04-2019 10:11 AM

I have a LAN (10.1.100.x), WAN (outside), and a DMZ (10.1.10.x) running off a ASA 5510.

Rather than using NAT, how can I bind static IP's directly to devices on the DMZ (exposing them on the Internet, thereby) instead of using NAT to the 10.1.10.x host IP? So that I can "tunnel" static IP routes direct to host?

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎10-20-2010 08:00 AM 

davidbirchell wrote:
I have a LAN (10.1.100.x), WAN (outside), and a DMZ (10.1.10.x) running off a ASA 5510.
Rather than using NAT, how can I bind static IP's directly to devices on the DMZ (exposing them on the Internet, thereby) instead of using NAT to the 10.1.10.x host IP? So that I can "tunnel" static IP routes direct to host?

David

If you want to allocate public IPs to the DMZ then you will need -

1) a subnet for the DMZ. Note this cannot be the same subnet as the outside interface of your ASA is in. So has the ISP allocated you a separate subnet you can use. Alterntively if the subnet allocted by the ISP is used on your outside interface but is big enough to be subnetted down further you can do that but you will lose addresses because of the subnet/broadcast addresses not being useable. That is why most people use NAT because you don't lose addresses.

If you don't have this subnet you could apply to your ISP for one.

2) You then simply address your DMZ servers with public IPs, give the DMZ interface an IP address from the same subnet and it will all work.

Jon

0 Helpful

davidbirchell
Level 1
Level 1
In response to Jon Marshall

‎10-20-2010 08:52 AM

Thanks Jon!

I have a bank of usable IP addresses (only about 8-10), and they are on the same subnet as the WAN interface.

Assume I want to have an internal DMZ zone with internal subnet (10.1.10.x), but at the same time have some sort of way to bind an external IP to an internal DMZ host.

The reason I am asking is because I am using a SIP proxy which needs to be assigned an external IP address and be bound and working as that static IP, rather than 1:1 NAT binding, due to translation issues for SIP.

The problem with assigning an static IP to the DMZ interface aside from the previously mentioned losses of usable IP addresses, would be the loss of the "internal" DMZ zone (10.1.10.x).

I would just as well wire the SIP proxy directly to the WAN, but the problem is the WAN line goes into the firewall's WAN port, and I was advised against putting that WAN line onto the switch into its own vlan, and splitting off to both the firewall and SIP proxy from the switch. THoughts on that?

Thanks in advance...

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to davidbirchell

‎10-20-2010 09:14 AM 

davidbirchell wrote:
Thanks Jon!
I have a bank of usable IP addresses (only about 8-10), and they are on the same subnet as the WAN interface.
Assume I want to have an internal DMZ zone with internal subnet (10.1.10.x), but at the same time have some sort of way to bind an external IP to an internal DMZ host. 
The reason I am asking is because I am using a SIP proxy which needs to be assigned an external IP address and be bound and working as that static IP, rather than 1:1 NAT binding, due to translation issues for SIP.
The problem with assigning an static IP to the DMZ interface aside from the previously mentioned losses of usable IP addresses, would be the loss of the "internal" DMZ zone (10.1.10.x).
I would just as well wire the SIP proxy directly to the WAN, but the problem is the WAN line goes into the firewall's WAN port, and I was advised against putting that WAN line onto the switch into its own vlan, and splitting off to both the firewall and SIP proxy from the switch. THoughts on that?
Thanks in advance...

David

Unfortunately the "binding" that you are talking about is actually NAT.

You could either -

1) use a spare interface on your ASA or subinterface on the DMZ physical interface and use part of your public IP subnet. But as already said you would lose some addresses.

2) as you say connect the firewall into a switch and the WAN interface. You wouldn't need to split off as such because the WAN link and the firewall link would be in the same vlan and so would the SIP proxy ie. it would have to be because of the single public IP subnet you have. But you are now not protecting your SIP proxy with the firewall any more. Whether this is important or not only you can say but i suspect it is.

Where does the internet come in to the firewall ? is it via the WAN connection which seems a bit strange ?

Finally have you tried enabling SIP inspection with NAT. You would definitely need to use a one-to-one static NAT eg.

static (dmz,outside) <10.1.10.x> netmask 255.255.255.255

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml#sip

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card