Different subnet per interface - static routes required? 1

[hgate73]

I have an ASA 5510 with a WAN connection to the outside world.

Currently it looks like this:

[Internet]
|
[ASA]
|
192.168.x subnet
|
[NAT device]
|
172.16.x subnet

My plan is to move both subnets to their own interface on the ASA and remove the second NAT device.

The 192.168.x subnet will be the DMZ with security-level 50.
The 172.16.x subnet will be LAN with security-level 100.

Both will be Dynamic NAT'd (PAT) to the outside.

My questions:
1. Do I need to add static routes for the local subnets, or will those be automatically added? This is on a production network so the changeover has to be seamless.
2. I assume I will need to set up a firewall rule for DMZ mail server to access the LAN, is this correct?
3. Are there any considerations (NAT/Firewall/etc) for this that I haven't considered?

 

[cisconooblet]

My questions:
1. Do I need to add static routes for the local subnets, or will those be automatically added? This is on a production network so the changeover has to be seamless.

Once you set up the interface add ip, vlan etc. and the interface becomes active up/up it will automatically add a connected route. No static route needed.

2. I assume I will need to set up a firewall rule for DMZ mail server to access the LAN, is this correct?

I can't test this because my little 5505 doesn't have the licensing to allow another interface to have a traffic flow with my inside network. However if your inside is set at 100 and the DMZ to 50 I would think that would be fine to access the dmz from the inside network. I'm a newb though so get a better answer on that. It is possible. Shouldn't be hard either way. Your logs will tell you for sure.

3. Are there any considerations (NAT/Firewall/etc) for this that I haven't considered? Can't think of any.

CCNA, BCNE, Security+, Network +

 

[hgate73]

Thank-you Cisconooblet.

We'll have a 'green' network and a 'blue' network which access the mail server in the DMZ. I understand Green and Blue will be able to initiate connections to the server and the ASA will allow the return traffic.

Our Domain Controller and samba file server is residing in Green however, so I will need to allow traffic from Blue --> Green for file transfer and login information. Is this correct? Will I need a NAT rule or just a firewall rule?

thank-you again

 

[stubnski]

--> Do I need to add static routes for the local subnets, or will those be automatically added? This is on a production network so the changeover has to be seamless.

Depends on if you use a routing protocol or if your inside interface is setup as subinterfaces. Also if you have a network that is different from the ASA's inside interface then you will need a route to that network. Example - ASA interface is 192.x.x.x, inside networks consists of 172.x.x.x and 192.x.x.x. You will need a route to the 172.x.x.x network.

--> I assume I will need to set up a firewall rule for DMZ mail server to access the LAN, is this correct?

Correct. Any lower security interface will need ACL's to access a higher security interface. Plus, you want to secure the inside interface from all other interfaces.

--> Are there any considerations (NAT/Firewall/etc) for this that I haven't considered?

Test every NAT / ACL before going live with the config, if possible. Remember to backup your old config before making any changes and know how to restore to an old config if things go bad.


Stubnski