I'm trying to set up a Cisco ASA 5520 as the main entry point for our datacenter setup.
This setup includes:
- Three private networks (management, SAN and backup) that are used in a cloud server configuration
- One publicly accessible /26 subnet, both used for customer servers and the cloud server configuration
So the networks are defined as:
Subnet 80.50.100.64/26
ISP Gateway 80.50.100.65
Management 10.10.10.0/24
SAN 10.20.20.0/24
Backup 10.30.30.0/24
There are currently some customer servers already online, using a Catalyst 3548XL to connect them to the internet.
The current situation looks like this:
ISP Uplink ---> Cisco Catalyst 3548XL
|--> Customer servers on /26 subnet, using ISP gateway
|--> Cisco ASA 5520 (80.50.100.66 on outside intf, routing to ISP gateway)
|--> Management: 10.10.10.1 --> Dell 7024 Gigabit stack
|--> SAN: 10.20.20.1 --> Dell 7024 Gigabit stack
|--> Backup: 10.30.30.1 --> Dell 7024 Gigabit stack
What I'm trying to achieve is to place the Catalyst behind the ASA, so the ISP uplink is connected to the ASA and the /26 subnet is connected to an 'inside' port behind the ASA (What I think is a DMZ setup?). Preferably still using the ISP gateway (.65) as the internet gateway for the /26 subnet, so I won't have to contact my customers to update their network configurations. If I understand the documentation correctly this should only be possible using a transparent firewall setup, but as ASA doesn't support a mix of transparent and routed security contexts and I definately need a routed configuration for my private networks this should be hard to achieve. But please correct me if I'm wrong.
Currently the only solution seems to be to introduce the ASA as an additional hop, making it the gateway for the /26 subnet. I'm completely clueless how to set this up though, and I'm really hoping someone can give me some pointers on how to achieve this.
The desired setup would look like this:
ISP Uplink ---> Cisco ASA 5520 (80.50.100.66 on outside intf, routing to ISP gateway (.65)
|--> Public subnet (Don't know what the IP config should be)
| |--> Cisco Catalyst 3548XL
| |--> Customer servers on /26 subnet (Gateway = ?)
| |--> Cloud setup public connections (Gateway = ?)
|
|--> Management: 10.10.10.1 --> Dell 7024 Gigabit stack
|--> SAN: 10.20.20.1 --> Dell 7024 Gigabit stack
|--> Backup: 10.30.30.1 --> Dell 7024 Gigabit stack
I thought a solution would be to set the ASA outside to 80.50.100.66 with netmask 255.255.255.252, and the public inside interface to 80.50.100.67 with the rest of the /26 subnet, but the ASA won't let me do this as the subnets would overlap, so now I'm stuck!
Best Answer
To be able to have the /26 "inside" the ASA, you need a linknet (probably a /30) where your isp's router and the ASA communicate. One option is however to use 1:1 NAT in case you can't easily get such linknet.
A customer of mine has a /19 network, so I have made the 100.100.0.0/30 a link net, and anything besides that (100.100.1-31./24 etc) is behind the asa, further divided into multiple /24's, /29's, /30's etc, each residing in it's own VLAN.
So my best advice is to ask your provider for a linknet, and put your /26 behind the ASA - or simply use NAT 1:1 (which in my opinion is not as flexible, and will create more potential configuration and thus problems when transitioning to IPv6).
To achieve NAT 1:1, setup an interface (or subinterface) with a RFC1918 CIDR (example 10.40.40.0/24), let ASA have one address (usually .1 or .254). Place all DMZ hosts into this subnet, have the ASA IP as default gateway. Depending on what Cisco ASA OS version you're running the command for nat differs drastically. But the idea is to do static NATing for each and every of the unused public IP's to internal counterparts.
example: