How to provide security from internet without NAT

I am going to be getting an entire class C public IP range from my ISP shortly. It is for use in a "lab" setting. It is desired that each computer will have it's own public IP address like this, making the range necessary. But it also eliminates NAT from being used.

I'm familiar with setting up Cisco ASA's using NAT. But I am so confused as to how I would use/configure the ASA if it were not doing NAT?

I'm aware of transparent mode, but is this the only way? I don't like some of the shortcomings of this...

I don't understand how I can put a firewall after the ISP router but use that same /24 range on both the inside and outside interfaces of the router? That would just make it a switch?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
that is all you need is a switch
put one of the /24 addresses on the outside, then create identity nat statements for the /24 space. depending on asa version:
static (in,out) <public /24> <public /24> netmask
or the equivalent nat statement using the same public range for before and after nat. then apply whatever access list restrictions are required inbound on the outside.

there might be an objection from the asa about translating the interface address, so it may be necessary to create the statics or nats in smaller pieces. assuming asa has .1 and isp has .2, then a .3/32 nat, a .4/30, a .8/29, a .16/28 etc, or they can all be defined as /32 but that will require 252 entries.

or, another way to have the whole /24 range available is to have the isp use an rfc1918 address range (10.x, 172.16-31.x or 192.168.x /30) combined with a static route for your /24, pointing to the private outside address of the asa. problem with this is you cant terminate vpn traffic at the asa unless the isp nats another public address to the private outside interface address for you.
ps - with the first option (nat /24 range to itself), make sure you have sysopt proxyarp inside enabled, so the asa will respond to arp for the inside clients, whose default gateway points to the isp router address.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

TechGuy_007Author Commented:
Thank you for the comments! I knew I would have to use proxy arp somehow based on what I've been reading...

Let me ask you this now: is it possible to use a layer 3 switch to accomplish this? I could use an ASA but it would require at least a 5512 as the connection will be gigabit from the ISP. And I think this would be an unnecessary expense since I will need a switch anyway...

Thank you for your help!
what is wrong with NAT? are there any issues with software running in the lab?

simple one to one NAT will make your life yeasier
yes its possible to route such a connection with a layer 3 switch, but then the hosts will be exposed to the internet with no protection. where will the firewalling come from? depending on the hosts it may be possible to firewall directly on each host, but the overhead of maintaining 250 firewalled hosts ... is that what you really want?

ios firewall, in the case of a cisco layer 3 switch, could be used, but keep in mind that a switch has very little buffer ram compared to a router. thats why routers cost more. the memory is needed to handle the address translation, session state tracking, protocol inspection etc of the firewall, as well as buffering between the lan and wan. if there are 250 gig connected hosts and only 1g isp service, theres a good chance that there will be plenty of buffering required.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TechGuy_007Author Commented:
Thank you for the help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.