0

I am running an ASA 5506 (9.6). I have two IP Ranges 1.35.133.88/29 and 1.35.135.176/29. I have setup in my router the routes. I have an outside interface with 1.35.133.90. I have an DMZ interface with 1.35.135.178.

Below you can find the configuration:

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 1.35.133.90 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif mgmt
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface GigabitEthernet1/4
 nameif dmz
 security-level 50
 ip address 1.35.135.178 255.255.255.248 
!

object network DMZInternet
 subnet 1.35.135.176 255.255.255.248

access-list outside_access_in extended permit icmp any any log debugging 
access-list outside_access_in extended permit ip any host 1.35.135.179 log debugging 
access-list outside_access_in extended permit icmp any object DMZInternet

object network EdgeServer
 nat (dmz,outside) static 1.35.135.179

access-group outside_access_in in interface outside
access-group nonat in interface dmz
access-group global_access global

route outside 0.0.0.0 0.0.0.0 1.35.133.89 1
route inside 192.168.0.0 255.255.255.0 10.0.0.2 1
route outside 0.0.0.0 0.0.0.0 1.35.133.93 tunneled

I want to use public IP addresses on the hosts, but I cannot figure why it is failing. If I run a ping command from my Cisco C881 Router it does not retreive the public IP Address through the ASA.

What am I doing wrong here?

hertitu
  • 337
  • 1
  • 6
user29815
  • 101
  • 3

2 Answers2

0

Ok, I have found the problem to all the issues. The ISP routed the 2nd IP range to their WAN Address instead of to the internal ASA gateway.

user29815
  • 101
  • 3
-1

If you're trying to have a DMZ server respond to a public IP via NAT, you could setup proxy arp and configure an arp entry against the mac of the outside interface - something like:

arp Outside 1.35.135.179 alias (assuming that IP is the one you are trying to publish).

You can then NAT the object to your DMZ server IP address.

You might also want to clear the arp cache on your router to hurry things along.

mso215
  • 1
  • 1
  • I do not want to use NAT. I have my gateway address of my 2nd IP range allocated to the DMZ interface. I can internally already communicate from DMZ Server IP to Outside IP Address, etc. But I want to make sure that incoming from Outside to DMZ? – user29815 Dec 07 '16 at 13:34