Solved

ASA 5515 with public IP's inside DMZ

Posted on 2014-01-27
17
2,819 Views
Last Modified: 2014-06-07
Dear Cisco experts,

I'm searching for almost two days now and I can't find an example config for what I want. Maybe one of you can point me in the right direction.

We have a brand new ASA 5515 (software version 8.6) that we want to set up with NAT networks and a DMZ where the servers that are in the DMZ zone use public IP's and not static NAT.

Our ISP supplied us with a /29 public IP range. They won't give us anything smaller. The first address of the range will be used on the outside interface, the rest of the Public IP's will be assigned to servers in the DMZ zone or Static NAT's. To clarify I have attached a layout drawing.

We already figured out the NAT networks and static NAT. We only need help with the DMZ part.

Any help would be appreciated. Even an answer if our setup won't work with an explanation what we must do to let it work. The most important for us is that we can assign public IP's without NAT to our servers in the DMZ.
Layout.jpg
0
Comment
Question by:Flevoict
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
17 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 39811424
On your diagram you say you want traffic from the DMZ NOT to be natted.
This wont work

Because if your outside IP is 5.174.78.1 as soon as you try and allocate another IP in this range to the DMZ interface it will throw you an error, the ASA cannot have two interfaces in overlapping networks, that's why you cant find any examples, try it if you don't believe me

Pete
0
 

Author Comment

by:Flevoict
ID: 39811467
Hi Pete,

When configuring I already tried it and I believe you because I got the error.

But maybe you can point me in a direction to the solution.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 39811639
The Solution is to setup a subnet on the DMZ i.e. 10.1.20/24

set the DMZ ip to 10.1.2.254/24

I don't know how many machines are in the DMZ, but Ill assure just one for now, we will call it webserver1

Give webserver1 and ip address of 10.1.2.1/24 make its default gateway 10.1.2.254
Setup static NAT for 10.1.2.1 to 5.174.78.2
Create an access list to allow traffic to the DMZ

I've written a walk though here, but its for ASA operating system 8.3 and earlier.

Pete
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:Flevoict
ID: 39811678
Hi Pete,

The static NAT I already tried and the reason why it isn't working for me is the following:

If I add an extra webserver (ws2) with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails.


Bas
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39811888
A nasty work around would be to add a static route, say something like the following...

route outside 5.174.78.2 255.255.255.255 5.174.78.1 1
route outside 5.174.78.3 255.255.255.255 5.174.78.1 1

Open in new window


Directly connected routes have an administrative distance of "0", and now you have routes to the other external addresses with an AD of 1. What will happen is that traffic between ws1 and ws2 will be routed out to the external gateway device of your ISP, then routed back to your firewall, where the traffic can be NAT'd properly and communications can flow. Just need to make sure that your ACL's are configured properly.
0
 

Author Comment

by:Flevoict
ID: 39812185
Dear Jordan,

I tried your route commands with different variations. But I doesn't do what I want.

I've added a new drawing to this post, maybe you can help me in the right way with that.

Thanks in advance.
Layout-NEW.jpg
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 39812587
>>with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails

Put the ws1 address in the hosts file of ws2 with the 10.1.2.x IP address? and vice versa
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39814230
The static NAT I already tried and the reason why it isn't working for me is the following:

If I add an extra webserver (ws2) with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails.

You can configure NAT on your ASA from dmz to dmz which will translated the 5.174.78.2 to an internal IP address. You should also change your source address to a pool or interface because otherwise the return traffic will not go trough the ASA.
0
 

Author Comment

by:Flevoict
ID: 39814475
Put the ws1 address in the hosts file of ws2 with the 10.1.2.x IP address? and vice versa

Dear Pete,

I know this an option but only as last resort. And some machines are dedicated applications and we don't have access to the host file.
0
 

Author Comment

by:Flevoict
ID: 39814479
You can configure NAT on your ASA from dmz to dmz which will translated the 5.174.78.2 to an internal IP address. You should also change your source address to a pool or interface because otherwise the return traffic will not go trough the ASA.

Dear Henk,

Can you give me a more detailed explanation?
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 500 total points
ID: 39820076
You want that:

When server-1 (10.1.2.1) wants to communicate with the external IP of server-2 (5.174.78.3) it will send its packets to the ASA.

At the ASA you need to configure a rule like this:

Original interface: dmz
Original source: dmz-network (10.1.2.0/24 I guess)
Original destination: 5.174.78.3
Original Service: any

Translated interface: dmz
Translated source: interface
Translated destination: 10.1.2.2
Translated Service: Original

The rule looks like this:

nat (dmz,dmz) source static DMZ-LAN-Network interface destination static SERVER-2-WAN SERVER-2-LAN

Open in new window


With this rule the ASA will translated the destination address to the internal IP of Server-2 and it will change the source to the IP address of the dmz interface. You need to change the source address because if you don't server-2 will send its response directly to server-1. The ASA wants to see all (bidirectional) traffic otherwise it will drop the connections. There is a way to avoid this by using the TCP State Bypass feature if you want to have the response from server-2 to go directly to server-1.

PeteL: It would be great if you could make an article on your website which explains how to use the natted external IP addresses available on the "inside" with this NAT statement!
0
 

Accepted Solution

by:
Flevoict earned 0 total points
ID: 40111183
After a long argue with our provider we now have a routed subnet and we don't have to use nat for the DMZ.
0
 

Author Comment

by:Flevoict
ID: 40111354
I've requested that this question be closed as follows:

Accepted answer: 0 points for Flevoict's comment #a40111183

for the following reason:

Not a real solution but it works.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40111355
The solution offered in my posts is a working solution. That you choose for a different solution does not automatically mean our answers are not correct and therefore not rewarded right?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40119295
I suggest ID: http:#a39820076 to accept as answer.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question