I'm using as ASA 5510, and for my specific purpose I need to publish a server to our corporate WAN without using NAT. I've looked for some configuration examples online, but I've been unable to locate anything adequate. Here's some information:
ASA Version 8.3(2) - NAT was changed slightly in this version, just FYI
Because you can't have overlapping networks on interfaces, I divided our external subnet like this:
126.96.36.199/24 - Eth0/0 - Internet External Interface
188.8.131.52/25 - Eth0/3 - Corporate WAN External Interface
184.108.40.206/25 - Eth0/1.10, Internal Sub-Interface
192.168.0.0/24 - Eth0/1 - Internal Interface
I assigned the IP 220.127.116.11 to the Internal Interface, and assigned IP address 18.104.22.168 to the server. I have an existing PAT masquerade rule which should work (and does, technically, the ASA shows no packet blocking and packet traces work fine), but it doesn't.
The PAT rule masquerades any traffic sent to the Eth0/3 interface to 22.214.171.124. Other systems with traditional NAT from Eth0/1 work fine. I also created a NAT rule that made the server keep it's assigned address (126.96.36.199), but still no connectivity. The firewall logs look fine:
6 Oct 19 2010 09:45:52 188.8.131.52 57990 184.108.40.206 53 Built outbound UDP connection 143741 for WAN_Corp:220.127.116.11/53 (18.104.22.168/53) to DMZ_Corp:22.214.171.124/57990 (126.96.36.199/57990)
Routing this system over a PAT rule to the Internet on Eth0/0 works fine.
I'm confused if this is the "best practice" way to do this or not. I can't have overlapping IP ranges, but the internal addresses are not advertised on the outside interface, so I don't understand how the firewall will even receive the traffic on a response, let alone a request.
Any ideas on best practice for no NAT for a specific system?