Cisco ASA 5505 Initial Configuration for Private Network with External Connectivity

Connect to your ASDM see my website here http://www.petenetlive.com/Tech/Firewalls/Cisco/connect2.htm
and run through the setup wizard - if you get stuck just sing out :)

>> have seen, have shown the ip addresses for the inside network to be on a completely different ip address range.
Correct thats done with a global and a nat command
 
ie
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 67.XX.XXX.128 255.255.255.248
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 67.XX.XXX.129 1
 

I dont want the internal ip addresses to be different though.  I want it set up so that the computers inside the network can keep and pass through their external static ip addresses.  

Here is the deal of the set up for my network.

I have a windows server that is set up as follows:
ip address:  67.XX.XXX.130
subnet: 255.255.255.248
gateway:  67.XXX.XXX.129

I have another server set up as follows:  
ip address:  67.XX.XXX.131
subnet: 255.255.255.248
gateway:  67.XXX.XXX.129  

My cisco 2821 router is set up as follows:
ip address:  67.XX.XXX.129
subnet: 255.255.255.248

Now when putting in the firewall between the router and the two servers, how do I set it up so I dont have to change the external static ip addresses that the servers are using.  

Why 2821 is 67.XX.XXX.129  ? This address should belong to ISP modem/router, which will be used as "gateway/next hop" in your router 2821 config.
And interface of your 2821 facing ISP should have one of 67.XX.XXX.130-135.
Any servers with public WAN from this range , should be connected to ISP modem/router as well (if there is not enouf port - you cn get $30 4 port switch).
Posting some drawing should be helpfull for further discussion.

P.S.
Your basic config should be looks like this
Username:
Password:


Using 7427 out of 245752 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 52000
enable secret 5
enable password 7

!
!
a
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
!
ip cef
!
!
ip domain name
ip name-server
ip name-server
!

!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
 no dspfarm
!
!

!
!
ip tcp synwait-time 10
!
!
!

!
interface FastEthernet0/0
 description Wan side
 ip address 68.x.x.130 255.255.255.248
  duplex auto
 speed auto
!
interface FastEthernet0/1
 description LAN side
 ip address 10.10.0.100 255.255.0.0
 
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 permanent

!
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.0.0 0.0.255.255
!
!
access-list 101 permit ip 10.10.0.0 0.0.255.255 any
!
route-map SDM_RMAP_1 perm
 match ip address 101
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password
scheduler allocate 20000 1000
ntp update-calendar
ntp server r
!

and use SDM to simplify config.

This should give some details, and having your connection topology will be really helpfull.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml

Basically, I want a set up that is laid out like the jpg attached in terms of ip addresses.  I have the two servers connected to a dumb switch which is then connected to the router.  The two servers are set up to have external ip static ip addresses.  There is no NAT used.  
setup.JPG

Ok, here is a rough idea of how our network is setup including putting this lovely little firewall in there.  Any  help would be greatly appreciated on how I work with the ip address issue.  

setup.JPG

If external Ip same as internal, then it is defeat purpose of having router, and you can connect ASA directly to ISP.
And on 255.255.255.248 you will have IP range 67.x.x.129-67.x.x.134 , and 67.x.x.135- is broadcast IP cannot be used to assigned to anything- please confirm that with ISP.
In cisco link above - prett straight forward config, use ASDM simplyfy config.
Also you can replace "dumb switch " with 8 port module for ASA, unless you need more then 300feet from ASA to PC.

We have the router due to the number of T1 lines coming into our office.  We also have more than 300 ft of cord involved which is why we have the switch.  

So what is the difficult follow:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml
 or any other....
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
Should be easy enouf.

Agree, just follow the link example, and once you "preconfigure" check basic ping/conuctivity to "outside" word, use "tracert x.x.x.x", "ping www.yahoo.com"  or from ASA "trace ip x.x.x.x".

Thanks for the transparent firewall mode comment.  I did not know about that mode.  Is there any security issue with this mode or downsides versus doing Nat 0 and just passing through the ip addresses that I need to?

ThanQ

Old Links Above
http://www.petenetlive.com/KB/Article/0000075.htm
also see
http://www.petenetlive.com/KB/Article/0000173.htm