ASA 5510 - Routable Addr's for DMZ?

Discussion in 'Cisco' started by Scott Davis, Apr 2, 2006.

  1. Scott Davis

    Scott Davis Guest

    Hi, Folks.

    I've got a 2600 that's a little overwhelmed. CPU goes to 100% when you
    put any NAT'd traffic through it.

    I'm thinking about replacing it with an ASA 5510. Currently, my DMZ has
    valid/routable IP addr's. 3 distinct blocks, /26, another /26 and a /28.

    My questions are:

    1) Can I assign routable IP addresses to the DMZ on the ASA 5510.. and
    setup ACL's to provide firewall functionality.. NO NAT..?

    2) Can I assign multiple netblocks to the DMZ interface? (i.e. like
    'secondary' addresses?)


    Thanks very much, everyone!

    -- Scott.

    (email replies would be appreciated)
     
    Scott Davis, Apr 2, 2006
    #1
    1. Advertising

  2. Hi Scott,

    1) Yes, the ASA can have routable IP addresses assigned to it's DMZ
    interface, no problem. There is even a new option that tells the ASA to
    actually do no nat at all (allow unnatted traffic).
    2) No, not directly. The ASA can only have one single IP address assigned to
    an interface. There is a possibility though. You could setup multiple,
    logical, firewalls within one single ASA box and let each one have it's own
    DMZ interface using a different IP block. The physical DMZ interface can
    then be shared by all logical firewalls. Personally I wouldn't prefer such a
    setup and go for a setup with NAT where you define static translations for
    the public IP addresses on the outside to your addresses on the dmz.

    Erik

    "Scott Davis" <> wrote in message
    news:6vFXf.16774$!nnrp1.uunet.ca...
    > Hi, Folks.
    >
    > I've got a 2600 that's a little overwhelmed. CPU goes to 100% when you
    > put any NAT'd traffic through it.
    >
    > I'm thinking about replacing it with an ASA 5510. Currently, my DMZ has
    > valid/routable IP addr's. 3 distinct blocks, /26, another /26 and a /28.
    >
    > My questions are:
    >
    > 1) Can I assign routable IP addresses to the DMZ on the ASA 5510.. and
    > setup ACL's to provide firewall functionality.. NO NAT..?
    >
    > 2) Can I assign multiple netblocks to the DMZ interface? (i.e. like
    > 'secondary' addresses?)
    >
    >
    > Thanks very much, everyone!
    >
    > -- Scott.
    >
    > (email replies would be appreciated)
     
    Erik Tamminga, Apr 2, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. DenisJ
    Replies:
    1
    Views:
    4,330
    mgasparr
    Aug 31, 2006
  2. Cityexplorer
    Replies:
    3
    Views:
    4,114
    Walter Roberson
    Aug 1, 2006
  3. Tilman Schmidt
    Replies:
    0
    Views:
    3,290
    Tilman Schmidt
    Jan 24, 2008
  4. Giuen
    Replies:
    0
    Views:
    1,062
    Giuen
    Sep 12, 2008
  5. gbottazzi
    Replies:
    0
    Views:
    1,923
    gbottazzi
    Feb 29, 2012
Loading...

Share This Page