ASA: How to connect server with a external IP address already assigned?

Question

enter image description here

Any ideas how this can be done on a ASA? There was a sonicwall in place but it just died and we do not have a replacement besides this ASA. The 24.172.x.132 is a spam filter and I can't change the IP address. It needs to be able to access one server in the LAN.

What are the subnet masks of the two 24.172 nets? Is firewall and spam filter on the same or different subnets? — Bittrance, Dec 19 '11 at 23:40
Does the firewall need to.. firewall for the DMZ host? Or can it be basically a switched connection? — Shane Madden, Dec 20 '11 at 05:59

score 1 · Answer 1 · answered Dec 20 '11 at 16:02

A traditional DMZ would have a firewall between the DMZ and the internet, and one between the DMZ and the inside network. You can do this all on an ASA, but it depends on the model and licensing.

Internet
--------- Firewall
DMZ (with your spam filter)
--------- Firewall
Inside network

You could make that first firewall a software one, running on the spam-filter server.

So you could have the server on the Internet network as far as the ASA is concerned. If you have spare ports on your ASA you could just assign one to the outside network (so you have two) and connect your spam server to that. Then create a firewall rule allowing traffic from the spam-filter server into your inside network as required. If you don't have a spare port, you will need a switch before the ASA.

You could get more fancy using a DMZ vlan on the ASA itself, and use the ASA to firewall the spam-filter, and the inside network. This is probably the closest to what your Sonicwall was doing.

Effectively the same. You should mark your answer as accepted (and probably update it to say what you did so in future people can benefit from what you learned) :-) — dunxd, Dec 22 '11 at 10:22
Yup, I was waiting for time limit to pass so I can accept my own answer. — evolvd, Dec 22 '11 at 13:31

score 0 · Accepted Answer · answered Dec 20 '11 at 15:25

0

Would the solution be to put a switch after the modem and connect both the ASA and the spam filter to the switch then put a ACL to allow data from the filter to the internal network?

answered Dec 20 '11 at 15:25

evolvd

1,384
6
33
58

score 0 · Answer 3 · answered Dec 20 '11 at 15:37

I am not sure if this will work for you - but I have a cloud spam filter that can talk to my internal exchange server so it seems like a similar situation.

I have an incoming access rule that permits the source 24.172.x.132 to talk to the destination x.x.x.x (outside ip of your server) for the service smtp.

Then I have a static NAT rule on the outside interface for the source 192.x.x.x (inside ip of your server) for service smtp with the address x.x.x.x (outside ip of your server)

example:

access rule:

outside: 
source;24.172.x.132
destination;server-outside-ip 
service;smtp 
action; permit

NAT Rule:

type;static
no destination
source;server-inside-ip
service;smtp
interface;outside

thanks for your help but I just went with my solution. – evolvd Dec 20 '11 at 20:07 — evolvd, Dec 20 '11 at 20:07

ASA: How to connect server with a external IP address already assigned?

3 Answers3