Solved: Public IP assigned to host question

bobbysitro · ‎04-18-2012

My company currently is using a /30 network, 1 public assigned to an ISP and 1 Public IP assigned to an ASA. They also use a VPN which the peer address is the public ip assigned to the outside interface of the ASA. One of our clients is requesting to access our servers but our servers must have assigned public IP not private. I have another /27 IP range givent to me from our ISP and am wondering how I can assign a server a public IP?

Alirio Zavarce · ‎04-18-2012

The ISP's router, which is your ASA's default gateway, will need a static route pointing the /27 out the interface that faces the ASA's outside interface. Your ASA needs to have static NAT entries using the newly assigned /27. When the ISP's router receives a packet directed to one of the IP addresses that you used on your static NATs, the router will send an ARP request out the customer facing interface. The ASA in turn, since it has static NATs, will reply to those ARP requests with the MAC address of its outside interface. The Intenet router will build the frame using that MAC address as the destination MAC; the frame will be delivered to the ASA's outside interface, and then the ASA will continue its process internally.

View solution in original post

Richard Burts · ‎04-18-2012

Bobby

The more common way to solve this is to use an address from the other block and to configure static address translation so that the request coming in from outside will use the public address from the block and the ASA will translate it to the private address that the server uses inside your network.

HTH

Rick

HTH

Rick

bobbysitro · ‎04-18-2012

so basically what you are saying is use the /27 as our interface to the ISP from the ASA. and then use the remaining IP's as static nats to hosts?

Richard Burts · ‎04-18-2012

Bobby

You do not necessarily need to change the interface address. The ASA can use addresses for address translation that are not in the subnet of the interface address.

If you want to change the interface address you certainly can do that. But it is not required.

HTH

Rick

HTH

Rick

bobbysitro · ‎04-18-2012

Ah okay, so the reason I am doing this is because when we VPN to our clients they want to make sure our private address isnt clashing with their private address. so they want to use a public address for each server. So when I do this NAT it will ensure that there is not clash?

Alirio Zavarce · ‎04-18-2012

The ISP's router, which is your ASA's default gateway, will need a static route pointing the /27 out the interface that faces the ASA's outside interface. Your ASA needs to have static NAT entries using the newly assigned /27. When the ISP's router receives a packet directed to one of the IP addresses that you used on your static NATs, the router will send an ARP request out the customer facing interface. The ASA in turn, since it has static NATs, will reply to those ARP requests with the MAC address of its outside interface. The Intenet router will build the frame using that MAC address as the destination MAC; the frame will be delivered to the ASA's outside interface, and then the ASA will continue its process internally.

bobbysitro · ‎04-18-2012

excellent, thank you so much.