asked on Moving to a NEW ISP - Cisco ASA 5510 - 3 interfaces - NAT - block of addesses
We are moving to a new ISP, but the requirements differ in that the provider only offers a /30 bit subnet for our CISCO ASA 5510 WAN Interface connecting to the ISP upstream router.
They did assign a block of 14 IP addresses to use (/28), but I am guessing I will need to translate this pool of addresses from behind an available DMZ interface.
Our current physical/logical the address block is a /28 bit mask and allows us to translate without the extra perimeter - much easier, but this is going bye-bye.
************
Interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.100.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0
*********
I did get the DMZ and LAN traffic to communicate, by simply using a nat exemption.
How do I translate and get the [10.200.200.x] servers behind the DMZ to provide Internet request, using the 100.100.100.96 /28 (.97-.110) usable?
To allow full LAN Internet access, will I simply translate the LAN traffic (192.168.100.x) to the WAN interface IP, or do I use one of the addresses out of the block of 100.100.100.96 /28?
I also have 2 site to site VPNS - that would need to be reconfigured to connect to the proper endpoint. Would I connect them to the /30 PUBLIC IPS or one of the /28 PUBLIC IPs?
Of course, I will repoint my PUBLIC DNS records, once this is square.
INT: 25.25.25.25 /30
They did assign a block of 14 IP addresses to use (/28), but I am guessing I will need to translate this pool of addresses from behind an available DMZ interface.
block: 100.100.100.96 /28
Our current physical/logical the address block is a /28 bit mask and allows us to translate without the extra perimeter - much easier, but this is going bye-bye.
************
Interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.100.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0
*********
I did get the DMZ and LAN traffic to communicate, by simply using a nat exemption.
How do I translate and get the [10.200.200.x] servers behind the DMZ to provide Internet request, using the 100.100.100.96 /28 (.97-.110) usable?
i.e. 10.200.200.2
To allow full LAN Internet access, will I simply translate the LAN traffic (192.168.100.x) to the WAN interface IP, or do I use one of the addresses out of the block of 100.100.100.96 /28?
I also have 2 site to site VPNS - that would need to be reconfigured to connect to the proper endpoint. Would I connect them to the /30 PUBLIC IPS or one of the /28 PUBLIC IPs?
Of course, I will repoint my PUBLIC DNS records, once this is square.
Network SecurityNetworking ProtocolsHardware Firewalls
Last Comment
tl121000
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
The directions were short, sweet, clear, and concise.
However, I am not clear as to how the /28 public IPs (100.100.100.96) will serve traffic in/out to the DMZ. Do I need to add a route, since the Ethernet 0/0 WAN (25.25.25.25 /30) interface is on a different (and what appears to be a disjointed) subnet than the /28.
I understand that natting from the private 10.200.200.1 >> 100.100.100.96 /28 will take place, but /28 is not a directly connect interface nor is it a backplane accessible interface.
Is this a route/rule that is most likely implied on the ISP's upstream router?
Please advise.
interface Ethernet0/0
speed 100
duplex full
nameif WAN
security-level 0
ip address 25.25.25.25 255.255.255.252
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 10.200.200.1 255.255.255.0