Having more than one subnet on the outside interface

Unanswered Question

I have an ASA5505 connected to one ISP router. The ISP has given me two different subnets instead of just one (nothing to do about it).

Subnet 1: 87.54.x.x/29

Subnet 2: 195.41.x.x/29

I have some static NAT's on the 87.54.x.x addresses and that is working fine. I have tried to create on static NAT on a 195.41.x.x interface. When i connect to the server i get the following error in the log: Deny TCP reverse path check from 87.54.x.x to 195.41.x.x on interface outside.

I have a 0.0.0.0 route on the outside interfacing to the ISP router on the 87.54.x.x network.

The problem is that althoug i have configured ACL's for the traffic for the 195.41.x.x address it does not seem to work proberly, i suspect that the ASA protects the network (and is telling me this with the Deny TCP path check log entry) but i need traffic in to my network.

Do i need to create a route to the 195.41.x.x network or do I need to add the 195.41.x.x IP address as a secondary ip address on the outside interface.

Thanks

\Lars

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pengfang Sat, 01/19/2008 - 20:36

Hi,you have only one default gateway from ISP right? let's say it's 87.54.x.1/29, the other subnet can be ONLY used for your DMZ application, there's no way you have 2 public outside network can be static NATted to your same inside network.

If you have DMZ server, or VPN box you want to put on the DMZ, you can use no-nat to achieve this by the second IP subnet.

You can have 3 vlans for ASA 5505,for example

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 87.54.x.2 255.255.255.248

interface Vlan3

nameif dmz

security-level 50

ip address 195.41.x.1 255.255.255.248

access-list no_nat_dmz permit ip 195.41.x.0 255.255.255.248 any

nat (dmz) 0 access-list no_nat_dmz

At you DMZ server, configure default route point to 195.41.x.1, so you can access dmz box/server by the second ip subnet.

If it's a VPN box, you can put inside interface of VPN box in your 5505 vlan 1 - Inside network.

Don't forget allow related traffic destined to DMZ at ACL outside-access-in.

please rate if it helps,

Actions

This Discussion