2

I'm part time sysadmin for a small hosting company with currently 20 different public servers. We have a 27 subnet block that gives us a maximum of 30 usable IP addresses. That much I know, but how do I maximize the number of IPs I can use for the DMZ on our Cisco ASA (5510)?

The outside interface of the ASA needs one of the public IPs, right? Can I assign the rest of the IPs to the DMZ interface without nating? I have read the DMZ subnet: to NAT or not to NAT? question and realize that nating isn't bad, but I would prefer to create a subnet with the public IP addresses on the DMZ interface. I just don't see how I can do that without wasting IP address ... Sorry for asking a probably trivial question.

More background info: We are about to switch ISP (to reduce the bandwidth cost) which will reduce our public IP range from a 25 subnet block to 27 subnet block. The old setup was simple, but wasting IP addresses. Now I need to be more careful, and my networking skills aren't really adequate.

Community
  • 1
hansfn
  • 195

1 Answers1

0

Your ISP is probably going to give you a single public IP on their network for the outside interface of your ASA and then route your /27 to that IP. If you're going to need every single IP address for servers in your DMZ I would suggest using a /26 private network on your DMZ interface, using the first IP as your default gateway and then NAT the top half of that subnet to your public IP space. For example, using 192.168.1.0/26 your ASA interface would be 192.168.1.1 and your servers would be 192.168.1.32-192.168.1.63
Then you would static NAT 192.168.1.32/27 to your public IP space like so

static (DMZ,outside) x.x.x.x 192.168.1.32 netmask 255.255.255.224
resmon6
  • 1,372