Public subnet configuration on a Cisco ASA 5520

Question

I'm trying to set up a Cisco ASA 5520 as the main entry point for our datacenter setup. This setup includes:

Three private networks (management, SAN and backup) that are used in a cloud server configuration
One publicly accessible /26 subnet, both used for customer servers and the cloud server configuration

So the networks are defined as:

Subnet        80.50.100.64/26
ISP Gateway   80.50.100.65

Management    10.10.10.0/24
SAN           10.20.20.0/24
Backup        10.30.30.0/24

There are currently some customer servers already online, using a Catalyst 3548XL to connect them to the internet. The current situation looks like this:

ISP Uplink ---> Cisco Catalyst 3548XL  
                   |--> Customer servers on /26 subnet, using ISP gateway
                   |--> Cisco ASA 5520 (80.50.100.66 on outside intf, routing to ISP gateway)
                         |--> Management: 10.10.10.1 --> Dell 7024 Gigabit stack
                         |--> SAN: 10.20.20.1 --> Dell 7024 Gigabit stack
                         |--> Backup: 10.30.30.1 --> Dell 7024 Gigabit stack

What I'm trying to achieve is to place the Catalyst behind the ASA, so the ISP uplink is connected to the ASA and the /26 subnet is connected to an 'inside' port behind the ASA (What I think is a DMZ setup?). Preferably still using the ISP gateway (.65) as the internet gateway for the /26 subnet, so I won't have to contact my customers to update their network configurations. If I understand the documentation correctly this should only be possible using a transparent firewall setup, but as ASA doesn't support a mix of transparent and routed security contexts and I definately need a routed configuration for my private networks this should be hard to achieve. But please correct me if I'm wrong.

Currently the only solution seems to be to introduce the ASA as an additional hop, making it the gateway for the /26 subnet. I'm completely clueless how to set this up though, and I'm really hoping someone can give me some pointers on how to achieve this.

The desired setup would look like this:

ISP Uplink ---> Cisco ASA 5520 (80.50.100.66 on outside intf, routing to ISP gateway (.65)
                  |--> Public subnet (Don't know what the IP config should be)
                  |        |--> Cisco Catalyst 3548XL
                  |                 |--> Customer servers on /26 subnet (Gateway = ?)
                  |                 |--> Cloud setup public connections (Gateway = ?)
                  |
                  |--> Management: 10.10.10.1 --> Dell 7024 Gigabit stack
                  |--> SAN: 10.20.20.1 --> Dell 7024 Gigabit stack
                  |--> Backup: 10.30.30.1 --> Dell 7024 Gigabit stack

I thought a solution would be to set the ASA outside to 80.50.100.66 with netmask 255.255.255.252, and the public inside interface to 80.50.100.67 with the rest of the /26 subnet, but the ASA won't let me do this as the subnets would overlap, so now I'm stuck!

3molo · Accepted Answer · 2012-04-17T11:13:54.230

3

To be able to have the /26 "inside" the ASA, you need a linknet (probably a /30) where your isp's router and the ASA communicate. One option is however to use 1:1 NAT in case you can't easily get such linknet.

A customer of mine has a /19 network, so I have made the 100.100.0.0/30 a link net, and anything besides that (100.100.1-31./24 etc) is behind the asa, further divided into multiple /24's, /29's, /30's etc, each residing in it's own VLAN.

So my best advice is to ask your provider for a linknet, and put your /26 behind the ASA - or simply use NAT 1:1 (which in my opinion is not as flexible, and will create more potential configuration and thus problems when transitioning to IPv6).

To achieve NAT 1:1, setup an interface (or subinterface) with a RFC1918 CIDR (example 10.40.40.0/24), let ASA have one address (usually .1 or .254). Place all DMZ hosts into this subnet, have the ASA IP as default gateway. Depending on what Cisco ASA OS version you're running the command for nat differs drastically. But the idea is to do static NATing for each and every of the unused public IP's to internal counterparts.

example:

10.40.40.2 static NAT to 80.50.100.67
10.40.40.3 static NAT to 80.50.100.68
10.40.40.4 static NAT to 80.50.100.69

edited Apr 17 '12 at 11:13

answered Apr 17 '12 at 09:31

3molo

4,330
5
32
46

Probably needless to say, but your provider must route the /26 to your asa's linknet IP. :-) – 3molo Apr 17 '12 at 09:32
Thanks for your quick reply! What would this NAT 1:1 setup look like? Create a static NAT rule for each and every public IP behind the ASA? And what should the gateway IP be for the 1:1 NAT'd hosts? If that would work I can move on for now, as requesting a linknet would take at least a week, if at all possible with this ISP. – Remco Overdijk Apr 17 '12 at 09:38
updated the answer, let me know what version and I'll refer you to the documentation, and possibly add examples. – 3molo Apr 17 '12 at 11:14
Ah, I thought that you meant what some people refer to as a "double NAT" or "no NAT" config with the NAT 1:1, meaning that you static NAT the external IP inside to itself outside. A mythical construct which is supposed to work, but I haven't had much luck with it. Having internal IP's assigned to the machines which are later NAT'd to their external counterpart are no option for me, due to the way OnApp (our cloud platform) works, so the linknet seems the only option at this point, which I already requested at the ISP. Question answered, thanks for your help! – Remco Overdijk Apr 18 '12 at 08:27

Public subnet configuration on a Cisco ASA 5520

1 Answers1