Solved

ASA 5515 with public IP's inside DMZ

Posted on 2014-01-27
17
2,698 Views
Last Modified: 2014-06-07
Dear Cisco experts,

I'm searching for almost two days now and I can't find an example config for what I want. Maybe one of you can point me in the right direction.

We have a brand new ASA 5515 (software version 8.6) that we want to set up with NAT networks and a DMZ where the servers that are in the DMZ zone use public IP's and not static NAT.

Our ISP supplied us with a /29 public IP range. They won't give us anything smaller. The first address of the range will be used on the outside interface, the rest of the Public IP's will be assigned to servers in the DMZ zone or Static NAT's. To clarify I have attached a layout drawing.

We already figured out the NAT networks and static NAT. We only need help with the DMZ part.

Any help would be appreciated. Even an answer if our setup won't work with an explanation what we must do to let it work. The most important for us is that we can assign public IP's without NAT to our servers in the DMZ.
Layout.jpg
0
Comment
Question by:Flevoict
  • 7
  • 4
  • 3
  • +1
17 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
On your diagram you say you want traffic from the DMZ NOT to be natted.
This wont work

Because if your outside IP is 5.174.78.1 as soon as you try and allocate another IP in this range to the DMZ interface it will throw you an error, the ASA cannot have two interfaces in overlapping networks, that's why you cant find any examples, try it if you don't believe me

Pete
0
 

Author Comment

by:Flevoict
Comment Utility
Hi Pete,

When configuring I already tried it and I believe you because I got the error.

But maybe you can point me in a direction to the solution.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
The Solution is to setup a subnet on the DMZ i.e. 10.1.20/24

set the DMZ ip to 10.1.2.254/24

I don't know how many machines are in the DMZ, but Ill assure just one for now, we will call it webserver1

Give webserver1 and ip address of 10.1.2.1/24 make its default gateway 10.1.2.254
Setup static NAT for 10.1.2.1 to 5.174.78.2
Create an access list to allow traffic to the DMZ

I've written a walk though here, but its for ASA operating system 8.3 and earlier.

Pete
0
 

Author Comment

by:Flevoict
Comment Utility
Hi Pete,

The static NAT I already tried and the reason why it isn't working for me is the following:

If I add an extra webserver (ws2) with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails.


Bas
0
 
LVL 6

Expert Comment

by:Jordan Medlen
Comment Utility
A nasty work around would be to add a static route, say something like the following...

route outside 5.174.78.2 255.255.255.255 5.174.78.1 1
route outside 5.174.78.3 255.255.255.255 5.174.78.1 1

Open in new window


Directly connected routes have an administrative distance of "0", and now you have routes to the other external addresses with an AD of 1. What will happen is that traffic between ws1 and ws2 will be routed out to the external gateway device of your ISP, then routed back to your firewall, where the traffic can be NAT'd properly and communications can flow. Just need to make sure that your ACL's are configured properly.
0
 

Author Comment

by:Flevoict
Comment Utility
Dear Jordan,

I tried your route commands with different variations. But I doesn't do what I want.

I've added a new drawing to this post, maybe you can help me in the right way with that.

Thanks in advance.
Layout-NEW.jpg
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
>>with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails

Put the ws1 address in the hosts file of ws2 with the 10.1.2.x IP address? and vice versa
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
The static NAT I already tried and the reason why it isn't working for me is the following:

If I add an extra webserver (ws2) with IP 10.1.2.2/24 with a static NAT to 5.174.78.3 it's all OK for the outside. But if ws2 want's to connect to ws1 on the static NAT IP 5.174.78.2 it fails.

You can configure NAT on your ASA from dmz to dmz which will translated the 5.174.78.2 to an internal IP address. You should also change your source address to a pool or interface because otherwise the return traffic will not go trough the ASA.
0
 

Author Comment

by:Flevoict
Comment Utility
Put the ws1 address in the hosts file of ws2 with the 10.1.2.x IP address? and vice versa

Dear Pete,

I know this an option but only as last resort. And some machines are dedicated applications and we don't have access to the host file.
0
 

Author Comment

by:Flevoict
Comment Utility
You can configure NAT on your ASA from dmz to dmz which will translated the 5.174.78.2 to an internal IP address. You should also change your source address to a pool or interface because otherwise the return traffic will not go trough the ASA.

Dear Henk,

Can you give me a more detailed explanation?
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 500 total points
Comment Utility
You want that:

When server-1 (10.1.2.1) wants to communicate with the external IP of server-2 (5.174.78.3) it will send its packets to the ASA.

At the ASA you need to configure a rule like this:

Original interface: dmz
Original source: dmz-network (10.1.2.0/24 I guess)
Original destination: 5.174.78.3
Original Service: any

Translated interface: dmz
Translated source: interface
Translated destination: 10.1.2.2
Translated Service: Original

The rule looks like this:

nat (dmz,dmz) source static DMZ-LAN-Network interface destination static SERVER-2-WAN SERVER-2-LAN

Open in new window


With this rule the ASA will translated the destination address to the internal IP of Server-2 and it will change the source to the IP address of the dmz interface. You need to change the source address because if you don't server-2 will send its response directly to server-1. The ASA wants to see all (bidirectional) traffic otherwise it will drop the connections. There is a way to avoid this by using the TCP State Bypass feature if you want to have the response from server-2 to go directly to server-1.

PeteL: It would be great if you could make an article on your website which explains how to use the natted external IP addresses available on the "inside" with this NAT statement!
0
 

Accepted Solution

by:
Flevoict earned 0 total points
Comment Utility
After a long argue with our provider we now have a routed subnet and we don't have to use nat for the DMZ.
0
 

Author Comment

by:Flevoict
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for Flevoict's comment #a40111183

for the following reason:

Not a real solution but it works.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
The solution offered in my posts is a working solution. That you choose for a different solution does not automatically mean our answers are not correct and therefore not rewarded right?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
I suggest ID: http:#a39820076 to accept as answer.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now