No announcement yet.

ASA5520 Static NAT?

  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA5520 Static NAT?

    Hi All,

    hXXp: //

    Above you'll see the situation. Right now i am still not allowed to post pictures, so i'll post the link.
    I have 2 Lan's, and 2 DMZ, each network with his own IP Range, and on his own interface connected to my ASA 5520.

    Now, a challenge for me is to add a DMZ 3. The asa 5520 only has 4 interfaces. Those 4 interfaces are all configured with their own IP, which is different as the IP which is supposed for DMZ 3.

    I did some research, and someone told me i Could use static NAT?
    Is it something like this:
    static (inside,outside) Public IP Local IP netmask

    I can't find a real solution, and i am looking for quit some time now....I hope someone can help me with this issue!

    Thanx in advance!


  • #2
    Re: ASA5520 Static NAT?

    From a scalability and security perspctive (each application in its own DMZ), I would suggest converting to sub interfaces on one of the ASA physical interfaces.

    NOTE: This solution would require a switch capable of supporting VLANs and TRUNKING. Basically, you connect each DMZ server to one of the switchports, then change the switchport to the correspnding VLAN and TRUNK the uplink switchport to the ASA physical interface.

    An example of how I implemented this on my ASA using a Cisco switch.

    interface GigabitEthernet0/2
     description Physical Connection to TRUNKED PORT on Switch, G0/11
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/2.2
     description Virtual Interface for Web Server DMZ
     vlan 2
     nameif dmz-web
     security-level 50
     ip address 
    interface GigabitEthernet0/2.3
     description Virtual Interface for Email DMZ
     vlan 3     
     nameif dmz-email
     security-level 51
     ip address 
    interface GigabitEthernet0/2.4
     description Virtual Interface for DNS DMZ
     vlan 4     
     nameif dmz-dns
     security-level 52
     ip address
    ...and on the switch
    interface GigabitEthernet0/11
     description Trunked connection to ASA - DMZ Interface (G0/2)
     switchport trunk encapsulation dot1q
     switchport trunk allowed vlan 2,3,4
     switchport mode trunk
    interface GigabitEthernet0/5
     description Connection to WEB Server in DMZ
     switchport access vlan 2
     spanning-tree portfast
    interface GigabitEthernet0/6
    description Connection to EMAIL Server in DMZ
    switchport access vlan 3
    spanning-tree portfast 
    interface GigabitEthernet0/7
    description Connection to DNS Server in DMZ
    switchport access vlan 4
    spanning-tree portfast
    Finally, you would add the corresponding static nat entry for each DMZ. Something like:

    outside -> dmz-web - ->
    outside -> dmz-email - ->
    outside -> dmz-dns - ->


    • #3
      Re: ASA5520 Static NAT?

      Thanx for your very clear answer!
      Let me explain the network a bit further.

      From our ASA 5520, a trunk is running to a cisco 3560. On this 3560 are defined private vlans. Every interface is in a private vlan.

      The previous situation was the situation you described exactly. However, we setup 30 vlans back then. As a result, with a reason unknown, the CPU load of the firewall increased enormously. The throughput on the interfaces decreased to 5KB! Like i said, i didnt know the exact cause, but this was the reason we chose for private vlans.