Avatar of tl121000
tl121000
Flag for United States of America asked on

Moving to a NEW ISP - Cisco ASA 5510 - 3 interfaces - NAT - block of addesses

We are moving to a new ISP, but the requirements differ in that the provider only offers a /30 bit subnet for our CISCO ASA 5510 WAN Interface connecting to the ISP upstream router.

INT: 25.25.25.25 /30

They did assign a block of 14 IP addresses to use (/28), but I am guessing I will need to translate this pool of addresses from behind an available DMZ interface.  

block: 100.100.100.96 /28

Our current physical/logical the address block is a /28 bit mask and allows us to translate without the extra perimeter - much easier, but this is going bye-bye.

************

Interfaces:
interface Ethernet0/0
 speed 100
 duplex full
 nameif  WAN
 security-level 0
 ip address 25.25.25.25  255.255.255.252
!
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address 192.168.100.1 255.255.252.0
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 10.200.200.1 255.255.255.0

*********

I did get the DMZ and LAN traffic to communicate, by simply using a nat exemption.

How do I translate and get the [10.200.200.x] servers behind the DMZ to provide Internet request, using the 100.100.100.96 /28 (.97-.110) usable?  

i.e. 10.200.200.2

To allow full LAN Internet access, will I simply translate the LAN traffic (192.168.100.x) to the WAN interface IP, or do I use one of the addresses out of the block of 100.100.100.96 /28?

I also have 2 site to site VPNS - that would need to be reconfigured to connect to the proper endpoint.  Would I connect them to the  /30 PUBLIC IPS or one of the /28 PUBLIC IPs?


Of course, I will repoint my PUBLIC DNS records, once this is square.
Network SecurityNetworking ProtocolsHardware Firewalls

Avatar of undefined
Last Comment
tl121000

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Ernie Beek

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
tl121000

ASKER
Thanks Ernie -

However, I am not clear as to how the /28 public IPs (100.100.100.96) will serve traffic in/out to the DMZ.  Do I need to add a route, since the Ethernet 0/0  WAN (25.25.25.25 /30) interface is on a different (and what appears to be a disjointed)  subnet than the /28.  
 
I understand that natting from the private 10.200.200.1 >> 100.100.100.96 /28 will take place, but /28 is not a directly connect interface nor is it a backplane accessible interface.
 Is this a route/rule that is most likely implied on the ISP's upstream router?



Please advise.

interface Ethernet0/0
 speed 100
 duplex full
 nameif  WAN
 security-level 0
 ip address 25.25.25.25  255.255.255.252

interface Ethernet0/2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 10.200.200.1 255.255.255.0
tl121000

ASKER
The directions were short, sweet, clear, and concise.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes