Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3152
  • Last Modified:

ASA 5515 with public IP's inside DMZ

Dear Cisco experts,

I'm searching for almost two days now and I can't find an example config for what I want. Maybe one of you can point me in the right direction.

We have a brand new ASA 5515 (software version 8.6) that we want to set up with NAT networks and a DMZ where the servers that are in the DMZ zone use public IP's and not static NAT.

Our ISP supplied us with a /29 public IP range. They won't give us anything smaller. The first address of the range will be used on the outside interface, the rest of the Public IP's will be assigned to servers in the DMZ zone or Static NAT's. To clarify I have attached a layout drawing.

We already figured out the NAT networks and static NAT. We only need help with the DMZ part.

Any help would be appreciated. Even an answer if our setup won't work with an explanation what we must do to let it work. The most important for us is that we can assign public IP's without NAT to our servers in the DMZ.
Layout.jpg
0
Flevoict
Asked:
Flevoict
  • 7
  • 4
  • 3
  • +1
2 Solutions
 
Pete LongTechnical ConsultantCommented:
On your diagram you say you want traffic from the DMZ NOT to be natted.
This wont work

Because if your outside IP is 5.174.78.1 as soon as you try and allocate another IP in this range to the DMZ interface it will throw you an error, the ASA cannot have two interfaces in overlapping networks, that's why you cant find any examples, try it if you don't believe me

Pete
0
 
FlevoictAuthor Commented:
Hi Pete,

When configuring I already tried it and I believe you because I got the error.

But maybe you can point me in a direction to the solution.
0
 
Pete LongTechnical ConsultantCommented:
The Solution is to setup a subnet on the DMZ i.e. 10.1.20/24

set the DMZ ip to 10.1.2.254/24

I don't know how many machines are in the DMZ, but Ill assure just one for now, we will call it webserver1

Give webserver1 and ip address of 10.1.2.1/24 make its default gateway 10.1.2.254
Setup static NAT for 10.1.2.1 to 5.174.78.2
Create an access list to allow traffic to the DMZ

I've written a walk though here, but its for ASA operating system 8.3 and earlier.

Pete
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
FlevoictAuthor Commented:
Hi Pete,

The static NAT I already tried and the reason why it isn't working for me is the following:

If I add an extra webserver (ws2) with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails.


Bas
0
 
Jordan MedlenCommented:
A nasty work around would be to add a static route, say something like the following...

route outside 5.174.78.2 255.255.255.255 5.174.78.1 1
route outside 5.174.78.3 255.255.255.255 5.174.78.1 1

Open in new window


Directly connected routes have an administrative distance of "0", and now you have routes to the other external addresses with an AD of 1. What will happen is that traffic between ws1 and ws2 will be routed out to the external gateway device of your ISP, then routed back to your firewall, where the traffic can be NAT'd properly and communications can flow. Just need to make sure that your ACL's are configured properly.
0
 
FlevoictAuthor Commented:
Dear Jordan,

I tried your route commands with different variations. But I doesn't do what I want.

I've added a new drawing to this post, maybe you can help me in the right way with that.

Thanks in advance.
Layout-NEW.jpg
0
 
Pete LongTechnical ConsultantCommented:
>>with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails

Put the ws1 address in the hosts file of ws2 with the 10.1.2.x IP address? and vice versa
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
The static NAT I already tried and the reason why it isn't working for me is the following:

If I add an extra webserver (ws2) with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails.

You can configure NAT on your ASA from dmz to dmz which will translated the 5.174.78.2 to an internal IP address. You should also change your source address to a pool or interface because otherwise the return traffic will not go trough the ASA.
0
 
FlevoictAuthor Commented:
Put the ws1 address in the hosts file of ws2 with the 10.1.2.x IP address? and vice versa

Dear Pete,

I know this an option but only as last resort. And some machines are dedicated applications and we don't have access to the host file.
0
 
FlevoictAuthor Commented:
You can configure NAT on your ASA from dmz to dmz which will translated the 5.174.78.2 to an internal IP address. You should also change your source address to a pool or interface because otherwise the return traffic will not go trough the ASA.

Dear Henk,

Can you give me a more detailed explanation?
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
You want that:

When server-1 (10.1.2.1) wants to communicate with the external IP of server-2 (5.174.78.3) it will send its packets to the ASA.

At the ASA you need to configure a rule like this:

Original interface: dmz
Original source: dmz-network (10.1.2.0/24 I guess)
Original destination: 5.174.78.3
Original Service: any

Translated interface: dmz
Translated source: interface
Translated destination: 10.1.2.2
Translated Service: Original

The rule looks like this:

nat (dmz,dmz) source static DMZ-LAN-Network interface destination static SERVER-2-WAN SERVER-2-LAN

Open in new window


With this rule the ASA will translated the destination address to the internal IP of Server-2 and it will change the source to the IP address of the dmz interface. You need to change the source address because if you don't server-2 will send its response directly to server-1. The ASA wants to see all (bidirectional) traffic otherwise it will drop the connections. There is a way to avoid this by using the TCP State Bypass feature if you want to have the response from server-2 to go directly to server-1.

PeteL: It would be great if you could make an article on your website which explains how to use the natted external IP addresses available on the "inside" with this NAT statement!
0
 
FlevoictAuthor Commented:
After a long argue with our provider we now have a routed subnet and we don't have to use nat for the DMZ.
0
 
FlevoictAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for Flevoict's comment #a40111183

for the following reason:

Not a real solution but it works.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
The solution offered in my posts is a working solution. That you choose for a different solution does not automatically mean our answers are not correct and therefore not rewarded right?
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
I suggest ID: http:#a39820076 to accept as answer.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now