2

I'm part time sysadmin for a small hosting company with currently 20 different public servers. We have a 27 subnet block that gives us a maximum of 30 usable IP addresses. That much I know, but how do I maximize the number of IPs I can use for the DMZ on our Cisco ASA (5510)?

The outside interface of the ASA needs one of the public IPs, right? Can I assign the rest of the IPs to the DMZ interface without nating? I have read the DMZ subnet: to NAT or not to NAT? question and realize that nating isn't bad, but I would prefer to create a subnet with the public IP addresses on the DMZ interface. I just don't see how I can do that without wasting IP address ... Sorry for asking a probably trivial question.

More background info: We are about to switch ISP (to reduce the bandwidth cost) which will reduce our public IP range from a 25 subnet block to 27 subnet block. The old setup was simple, but wasting IP addresses. Now I need to be more careful, and my networking skills aren't really adequate.

Community
  • 1
hansfn
  • 195
  • 1
  • 7

1 Answers1

0

Your ISP is probably going to give you a single public IP on their network for the outside interface of your ASA and then route your /27 to that IP. If you're going to need every single IP address for servers in your DMZ I would suggest using a /26 private network on your DMZ interface, using the first IP as your default gateway and then NAT the top half of that subnet to your public IP space. For example, using 192.168.1.0/26 your ASA interface would be 192.168.1.1 and your servers would be 192.168.1.32-192.168.1.63
Then you would static NAT 192.168.1.32/27 to your public IP space like so

static (DMZ,outside) x.x.x.x 192.168.1.32 netmask 255.255.255.224
resmon6
  • 1,342
  • 6
  • 8
  • Thx a lot for your reply. Unfortunately my ISP is not giving me a single public IP for my outside interface. My public subnet is x.y.z.192/27 so currently I'm using x.y.z.193 as the IP for the outside interface and I'm planning (manual) static nating for the rest of the IPs. Is there a better way? – hansfn Mar 28 '12 at 08:43
  • In that case your only option to maximize IP usage is policy NAT to use a single IP for multiple services across different servers. This works similarly to port forwarding on your home router. – resmon6 Mar 28 '12 at 12:00
  • OK, I was a little unclear. I have assigned the complete public subnet to the outside interface and my ISP is routing to each separate IP - I have tested. In the test I used normal static NAT. So in this case there is no need for policy NAT, right? – hansfn Mar 28 '12 at 22:35
  • Correct. You only need policy NAT if you want to have different ports on a single public IP NAT to multiple servers in your DMZ. – resmon6 Mar 29 '12 at 12:14