Link to home
Start Free TrialLog in
Avatar of TechGuy_007
TechGuy_007Flag for United States of America

asked on

How to provide security from internet without NAT

I am going to be getting an entire class C public IP range from my ISP shortly. It is for use in a "lab" setting. It is desired that each computer will have it's own public IP address like this, making the range necessary. But it also eliminates NAT from being used.

I'm familiar with setting up Cisco ASA's using NAT. But I am so confused as to how I would use/configure the ASA if it were not doing NAT?

I'm aware of transparent mode, but is this the only way? I don't like some of the shortcomings of this...

I don't understand how I can put a firewall after the ISP router but use that same /24 range on both the inside and outside interfaces of the router? That would just make it a switch?
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

that is all you need is a switch
put one of the /24 addresses on the outside, then create identity nat statements for the /24 space. depending on asa version:
static (in,out) <public /24> <public /24> netmask
or the equivalent nat statement using the same public range for before and after nat. then apply whatever access list restrictions are required inbound on the outside.

there might be an objection from the asa about translating the interface address, so it may be necessary to create the statics or nats in smaller pieces. assuming asa has .1 and isp has .2, then a .3/32 nat, a .4/30, a .8/29, a .16/28 etc, or they can all be defined as /32 but that will require 252 entries.

or, another way to have the whole /24 range available is to have the isp use an rfc1918 address range (10.x, 172.16-31.x or 192.168.x /30) combined with a static route for your /24, pointing to the private outside address of the asa. problem with this is you cant terminate vpn traffic at the asa unless the isp nats another public address to the private outside interface address for you.
ps - with the first option (nat /24 range to itself), make sure you have sysopt proxyarp inside enabled, so the asa will respond to arp for the inside clients, whose default gateway points to the isp router address.
Avatar of TechGuy_007


Thank you for the comments! I knew I would have to use proxy arp somehow based on what I've been reading...

Let me ask you this now: is it possible to use a layer 3 switch to accomplish this? I could use an ASA but it would require at least a 5512 as the connection will be gigabit from the ISP. And I think this would be an unnecessary expense since I will need a switch anyway...

Thank you for your help!
what is wrong with NAT? are there any issues with software running in the lab?

simple one to one NAT will make your life yeasier
Avatar of pgolding00
Flag of Australia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for the help!