Moving to a NEW ISP - Cisco ASA 5510 - 3 interfaces - NAT - block of addesses
We are moving to a new ISP, but the requirements differ in that the provider only offers a /30 bit subnet for our CISCO ASA 5510 WAN Interface connecting to the ISP upstream router.
They did assign a block of 14 IP addresses to use (/28), but I am guessing I will need to translate this pool of addresses from behind an available DMZ interface.
Our current physical/logical the address block is a /28 bit mask and allows us to translate without the extra perimeter - much easier, but this is going bye-bye.
************
Interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.100.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0
*********
I did get the DMZ and LAN traffic to communicate, by simply using a nat exemption.
How do I translate and get the [10.200.200.x] servers behind the DMZ to provide Internet request, using the 100.100.100.96 /28 (.97-.110) usable?
To allow full LAN Internet access, will I simply translate the LAN traffic (192.168.100.x) to the WAN interface IP, or do I use one of the addresses out of the block of 100.100.100.96 /28?
I also have 2 site to site VPNS - that would need to be reconfigured to connect to the proper endpoint. Would I connect them to the /30 PUBLIC IPS or one of the /28 PUBLIC IPs?
Of course, I will repoint my PUBLIC DNS records, once this is square.
INT: 25.25.25.25 /30
They did assign a block of 14 IP addresses to use (/28), but I am guessing I will need to translate this pool of addresses from behind an available DMZ interface.
block: 100.100.100.96 /28
Our current physical/logical the address block is a /28 bit mask and allows us to translate without the extra perimeter - much easier, but this is going bye-bye.
************
Interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.100.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0
*********
I did get the DMZ and LAN traffic to communicate, by simply using a nat exemption.
How do I translate and get the [10.200.200.x] servers behind the DMZ to provide Internet request, using the 100.100.100.96 /28 (.97-.110) usable?
i.e. 10.200.200.2
To allow full LAN Internet access, will I simply translate the LAN traffic (192.168.100.x) to the WAN interface IP, or do I use one of the addresses out of the block of 100.100.100.96 /28?
I also have 2 site to site VPNS - that would need to be reconfigured to connect to the proper endpoint. Would I connect them to the /30 PUBLIC IPS or one of the /28 PUBLIC IPs?
Of course, I will repoint my PUBLIC DNS records, once this is square.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The directions were short, sweet, clear, and concise.
ASKER
However, I am not clear as to how the /28 public IPs (100.100.100.96) will serve traffic in/out to the DMZ. Do I need to add a route, since the Ethernet 0/0 WAN (25.25.25.25 /30) interface is on a different (and what appears to be a disjointed) subnet than the /28.
I understand that natting from the private 10.200.200.1 >> 100.100.100.96 /28 will take place, but /28 is not a directly connect interface nor is it a backplane accessible interface.
Is this a route/rule that is most likely implied on the ISP's upstream router?
Please advise.
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0