Flevoict
asked on
ASA 5515 with public IP's inside DMZ
Dear Cisco experts,
I'm searching for almost two days now and I can't find an example config for what I want. Maybe one of you can point me in the right direction.
We have a brand new ASA 5515 (software version 8.6) that we want to set up with NAT networks and a DMZ where the servers that are in the DMZ zone use public IP's and not static NAT.
Our ISP supplied us with a /29 public IP range. They won't give us anything smaller. The first address of the range will be used on the outside interface, the rest of the Public IP's will be assigned to servers in the DMZ zone or Static NAT's. To clarify I have attached a layout drawing.
We already figured out the NAT networks and static NAT. We only need help with the DMZ part.
Any help would be appreciated. Even an answer if our setup won't work with an explanation what we must do to let it work. The most important for us is that we can assign public IP's without NAT to our servers in the DMZ.
Layout.jpg
I'm searching for almost two days now and I can't find an example config for what I want. Maybe one of you can point me in the right direction.
We have a brand new ASA 5515 (software version 8.6) that we want to set up with NAT networks and a DMZ where the servers that are in the DMZ zone use public IP's and not static NAT.
Our ISP supplied us with a /29 public IP range. They won't give us anything smaller. The first address of the range will be used on the outside interface, the rest of the Public IP's will be assigned to servers in the DMZ zone or Static NAT's. To clarify I have attached a layout drawing.
We already figured out the NAT networks and static NAT. We only need help with the DMZ part.
Any help would be appreciated. Even an answer if our setup won't work with an explanation what we must do to let it work. The most important for us is that we can assign public IP's without NAT to our servers in the DMZ.
Layout.jpg
ASKER
Hi Pete,
When configuring I already tried it and I believe you because I got the error.
But maybe you can point me in a direction to the solution.
When configuring I already tried it and I believe you because I got the error.
But maybe you can point me in a direction to the solution.
The Solution is to setup a subnet on the DMZ i.e. 10.1.20/24
set the DMZ ip to 10.1.2.254/24
I don't know how many machines are in the DMZ, but Ill assure just one for now, we will call it webserver1
Give webserver1 and ip address of 10.1.2.1/24 make its default gateway 10.1.2.254
Setup static NAT for 10.1.2.1 to 5.174.78.2
Create an access list to allow traffic to the DMZ
I've written a walk though here, but its for ASA operating system 8.3 and earlier.
Pete
set the DMZ ip to 10.1.2.254/24
I don't know how many machines are in the DMZ, but Ill assure just one for now, we will call it webserver1
Give webserver1 and ip address of 10.1.2.1/24 make its default gateway 10.1.2.254
Setup static NAT for 10.1.2.1 to 5.174.78.2
Create an access list to allow traffic to the DMZ
I've written a walk though here, but its for ASA operating system 8.3 and earlier.
Pete
ASKER
Hi Pete,
The static NAT I already tried and the reason why it isn't working for me is the following:
If I add an extra webserver (ws2) with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails.
Bas
The static NAT I already tried and the reason why it isn't working for me is the following:
If I add an extra webserver (ws2) with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails.
Bas
A nasty work around would be to add a static route, say something like the following...
Directly connected routes have an administrative distance of "0", and now you have routes to the other external addresses with an AD of 1. What will happen is that traffic between ws1 and ws2 will be routed out to the external gateway device of your ISP, then routed back to your firewall, where the traffic can be NAT'd properly and communications can flow. Just need to make sure that your ACL's are configured properly.
route outside 5.174.78.2 255.255.255.255 5.174.78.1 1
route outside 5.174.78.3 255.255.255.255 5.174.78.1 1
Directly connected routes have an administrative distance of "0", and now you have routes to the other external addresses with an AD of 1. What will happen is that traffic between ws1 and ws2 will be routed out to the external gateway device of your ISP, then routed back to your firewall, where the traffic can be NAT'd properly and communications can flow. Just need to make sure that your ACL's are configured properly.
ASKER
Dear Jordan,
I tried your route commands with different variations. But I doesn't do what I want.
I've added a new drawing to this post, maybe you can help me in the right way with that.
Thanks in advance.
Layout-NEW.jpg
I tried your route commands with different variations. But I doesn't do what I want.
I've added a new drawing to this post, maybe you can help me in the right way with that.
Thanks in advance.
Layout-NEW.jpg
>>with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails
Put the ws1 address in the hosts file of ws2 with the 10.1.2.x IP address? and vice versa
Put the ws1 address in the hosts file of ws2 with the 10.1.2.x IP address? and vice versa
The static NAT I already tried and the reason why it isn't working for me is the following:
If I add an extra webserver (ws2) with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails.
You can configure NAT on your ASA from dmz to dmz which will translated the 5.174.78.2 to an internal IP address. You should also change your source address to a pool or interface because otherwise the return traffic will not go trough the ASA.
ASKER
Put the ws1 address in the hosts file of ws2 with the 10.1.2.x IP address? and vice versa
Dear Pete,
I know this an option but only as last resort. And some machines are dedicated applications and we don't have access to the host file.
ASKER
You can configure NAT on your ASA from dmz to dmz which will translated the 5.174.78.2 to an internal IP address. You should also change your source address to a pool or interface because otherwise the return traffic will not go trough the ASA.
Dear Henk,
Can you give me a more detailed explanation?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for Flevoict's comment #a40111183
for the following reason:
Not a real solution but it works.
Accepted answer: 0 points for Flevoict's comment #a40111183
for the following reason:
Not a real solution but it works.
The solution offered in my posts is a working solution. That you choose for a different solution does not automatically mean our answers are not correct and therefore not rewarded right?
I suggest ID: http:#a39820076 to accept as answer.
This wont work
Because if your outside IP is 5.174.78.1 as soon as you try and allocate another IP in this range to the DMZ interface it will throw you an error, the ASA cannot have two interfaces in overlapping networks, that's why you cant find any examples, try it if you don't believe me
Pete