We help IT Professionals succeed at work.
Get Started
Moving to a NEW ISP - Cisco ASA 5510 - 3 interfaces - NAT - block of addesses
We are moving to a new ISP, but the requirements differ in that the provider only offers a /30 bit subnet for our CISCO ASA 5510 WAN Interface connecting to the ISP upstream router.
They did assign a block of 14 IP addresses to use (/28), but I am guessing I will need to translate this pool of addresses from behind an available DMZ interface.
Our current physical/logical the address block is a /28 bit mask and allows us to translate without the extra perimeter - much easier, but this is going bye-bye.
************
Interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.100.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0
*********
I did get the DMZ and LAN traffic to communicate, by simply using a nat exemption.
How do I translate and get the [10.200.200.x] servers behind the DMZ to provide Internet request, using the 100.100.100.96 /28 (.97-.110) usable?
To allow full LAN Internet access, will I simply translate the LAN traffic (192.168.100.x) to the WAN interface IP, or do I use one of the addresses out of the block of 100.100.100.96 /28?
I also have 2 site to site VPNS - that would need to be reconfigured to connect to the proper endpoint. Would I connect them to the /30 PUBLIC IPS or one of the /28 PUBLIC IPs?
Of course, I will repoint my PUBLIC DNS records, once this is square.
INT: 25.25.25.25 /30
They did assign a block of 14 IP addresses to use (/28), but I am guessing I will need to translate this pool of addresses from behind an available DMZ interface.
block: 100.100.100.96 /28
Our current physical/logical the address block is a /28 bit mask and allows us to translate without the extra perimeter - much easier, but this is going bye-bye.
************
Interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.100.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0
*********
I did get the DMZ and LAN traffic to communicate, by simply using a nat exemption.
How do I translate and get the [10.200.200.x] servers behind the DMZ to provide Internet request, using the 100.100.100.96 /28 (.97-.110) usable?
i.e. 10.200.200.2
To allow full LAN Internet access, will I simply translate the LAN traffic (192.168.100.x) to the WAN interface IP, or do I use one of the addresses out of the block of 100.100.100.96 /28?
I also have 2 site to site VPNS - that would need to be reconfigured to connect to the proper endpoint. Would I connect them to the /30 PUBLIC IPS or one of the /28 PUBLIC IPs?
Of course, I will repoint my PUBLIC DNS records, once this is square.
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE