New to Cisco here, and wanting to know if an idea is possible with my ASA 5506-X (version 9.5).
The ASA has a public/external IP that (for example) is z.z.z.3. Currently, it is performing SNAT for my internal LAN, handling site-to-site VPNs, etc. (I believe in Cisco terms it's called PAT.)
I have another machine that we'll call Host X. It also has a public IP (z.z.z.4) on the same subnet as the ASA. The diagram below shows how things are currently set up.
My question is:
Can I have the ASA be a firewall for Host X with the restrictions below?
- Host X must keep it's public IP (I have no admin access to Host X)
- I have additional empty physical interfaces on the ASA.
- The ASA must be able to continue doing source NAT for the internal LAN so they have access to the Internet.
- The ASA must keep it's current external IP address so it can continue being a terminating point for the site-to-site VPNs (not pictured).
That way I can lock down access to Host X with ASA access-lists rather than rely on Host X's firewall. I know this sort of thing would be easy with Linux, but I can't quite wrap my head around how the ASA should be configured.
Best Answer
Yes, ASA can be firewall for another public IP.
Write a specific route for host_x on the router pointing towards firewall and similarly change the default gateway on host_x to point to the firewall IP z.z.z.3
Also, you need to enable the command
same-security-level intra-interface trafficcommand on the firewall.This way, you can control the traffic going to and fro by the access-list defined on interface connecting to the switch on the firewall.
I know changing default gateway in the host_x requires admin access. I think all the scenarios require changing the default gateway on host_x.