troubleshooting Question
Moving to a NEW ISP - Cisco ASA 5510 - 3 interfaces - NAT - block of addesses
asked on
We are moving to a new ISP, but the requirements differ in that the provider only offers a /30 bit subnet for our CISCO ASA 5510 WAN Interface connecting to the ISP upstream router.
They did assign a block of 14 IP addresses to use (/28), but I am guessing I will need to translate this pool of addresses from behind an available DMZ interface.
Our current physical/logical the address block is a /28 bit mask and allows us to translate without the extra perimeter - much easier, but this is going bye-bye.
************
Interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.100.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0
*********
I did get the DMZ and LAN traffic to communicate, by simply using a nat exemption.
How do I translate and get the [10.200.200.x] servers behind the DMZ to provide Internet request, using the 100.100.100.96 /28 (.97-.110) usable?
To allow full LAN Internet access, will I simply translate the LAN traffic (192.168.100.x) to the WAN interface IP, or do I use one of the addresses out of the block of 100.100.100.96 /28?
I also have 2 site to site VPNS - that would need to be reconfigured to connect to the proper endpoint. Would I connect them to the /30 PUBLIC IPS or one of the /28 PUBLIC IPs?
Of course, I will repoint my PUBLIC DNS records, once this is square.
INT: 25.25.25.25 /30
They did assign a block of 14 IP addresses to use (/28), but I am guessing I will need to translate this pool of addresses from behind an available DMZ interface.
block: 100.100.100.96 /28
Our current physical/logical the address block is a /28 bit mask and allows us to translate without the extra perimeter - much easier, but this is going bye-bye.
************
Interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.100.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0
*********
I did get the DMZ and LAN traffic to communicate, by simply using a nat exemption.
How do I translate and get the [10.200.200.x] servers behind the DMZ to provide Internet request, using the 100.100.100.96 /28 (.97-.110) usable?
i.e. 10.200.200.2
To allow full LAN Internet access, will I simply translate the LAN traffic (192.168.100.x) to the WAN interface IP, or do I use one of the addresses out of the block of 100.100.100.96 /28?
I also have 2 site to site VPNS - that would need to be reconfigured to connect to the proper endpoint. Would I connect them to the /30 PUBLIC IPS or one of the /28 PUBLIC IPs?
Of course, I will repoint my PUBLIC DNS records, once this is square.
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.