cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
514
Views
0
Helpful
12
Replies

Need Help on Firewall Configuration

mangesh.kamble
Level 1
Level 1

Hi,

I am facing few problems with my current external ip address configured on my outside interface of ASA 5520. Due to some reason when I am trying my external ip for e.g. x.x.x.12 I am not able to access few websites but my VPN's are woking fine. But when I change it to x.x.x.14 my VPN connection offcourse goes down but I am able to access all sites which were not accessible by using that ip. Please help me out, as I am running short of Interfaces whatever I have to do is on the same interface. I want x.x.x.12 for VPN connection and x.x.x.14 for Internet access. Can someone please help me in achieving the same.

Thanking you.

Regards,

Mangesh Kamble.

CCIE R&S

12 Replies 12

andrew.prince
Level 10
Level 10

Mangesh,

Please post the sanitised config of the 5520 for review.

Sounds like there could be conflicts in the NAT statements.

Hi Andrew,

Thanks for your reply, but the scenario is now I cannot take a risk of changing that ip back to x.x.x.14 by which everything is accessible but VPN getting dropped.

I want something by which my both this IP addresses are active at the same time and then I am doing some kind of filtering so that my Internet traffic will go on x.x.x.14 and all other traffic will go on x.x.x.12

Please help me out as its urgent.

Thanking you.

Mangesh Kamble.

You need to do something like this:-

interface outside

ip address x.x.x.12

global (outside) 1 x.x.x.14

nat (inside) 1 x.x.x.x y.y.y.y

x.x.x.x = inside IP subnet

y.y.y.y = subnet mask

the above will:-

1) Allow any remote VPN configured to connect on the .12 will now work

2) Any traffic from the inside will be natt'd to x.x.x.14 on onto the internet.

if you have internal services that are currently available from the internet via the .14 address - I suggest the below:-

static (inside,outside) z.z.z.z x.x.x.14 netmask w.w.w.w

z.z.z.z = interna server IP address

w.w.w.w = mask

The write the acl accordingly:0-

access-list danger-in extended permit tcp any host x.x.x.14 eq 80

access-list danger-in extended permit tcp any host x.x.x.14 eq 443

access-list danger-in extended permit tcp any host x.x.x.14 eq 25

or whatever

HTH>

Hi Andrew,

Whatever you have suggested that has already been configured for x.x.x.14, but now if I implement this ip on outside interface then my connectivity of VPN goes down as VPN is configured for x.x.x.12, which they are not ready to change. So now what they want me to do is keep outside interface with x.x.x.12 as it is so that the VPN connection is not affected. But they also want to make ip x.x.x.14 active so that Internet connection will run smoothly. They had a talk with one of the enigneer for the same and as per him its very much possible but then he asking to raise a case there and they are not ready for it so asking me to do the same. Or atleast work on the same and achieve it, can you please help me out.

Thanking you.

Regards,

Mangesh Kamble.

Mangesh,

Please define "make ip x.x.x.14 active so that Internet connection will run smoothly" is this from the outside in or inside out?

Do they want internal traffic to be seen on the internet as x.x.x.14 OR do they want to have services available from the internet using x.x.x.14?

Hi Andrew,

Please define "make ip x.x.x.14 active so that Internet connection will run smoothly" is this from the outside in or inside out?

==== Its from outside - in. but I have not yet configured this ip address anywhere, that is what I wanted to know how to configure 2 ip addresses on the same interface or just say on ASA make ip x.x.x.14 active ?

Do they want internal traffic to be seen on the internet as x.x.x.14 OR do they want to have services available from the internet using x.x.x.14?

=== They want interenet services available using x.x.x.14 and all other traffic using other ip address.

Do you have multiple internal servers offering services to the internet? or is there just one server offering all services?

The above depends on the required config.

Hi Andrew,

So far just one server present for the time being we may add another very soon. So please suggest accordingly. Specially for the current scenario on priority.

I hope by now you have understood my requirement.

Thanking you.

Regards,

Mangesh Kamble.

Mangesh,

OK so I would, based on the following requirements configure the below:-

static (outside,inside) y.y.y.y x.x.x.14 netmask 255.255.255.255

y.y.y.y = internal server ip address

access-list internet-services extended permit tcp any x.x.x.14 eq 80

access-list internet-services extended permit tcp any x.x.x.14 eq 25

access-list internet-services extended permit tcp any x.x.x.14 eq 443

access-group internet-services in interface outside

When you have the other internal server running you will need to remove:-

static (outside,inside) y.y.y.y x.x.x.14 netmask 255.255.255.255

and replace with:-

static (outside,inside) tcp y.y.y.y 80 x.x.x.14 80 netmask 255.255.255.255

static (outside,inside) tcp y.y.y.z 25 x.x.x.14 25 netmask 255.255.255.255

y.y.y.y = first internal server

y.y.y.z = second internal server

HTH>

Hi Andrew,

I do agree what you say, but my problem is I have configured x.x.x.12 on my outside interface now how get x.x.x.14 active on ASA and how to configure it (x.x.x.14) on Outside interface with keeping x.x.x.12 as it is. The configuration you said is already present but I need to make my x.x.x.14 active without touching my x.x.x.12; I cannot remove it from my outside interface.

Please help me out.

Thanking you.

Regards,

Mangesh Kamble.

Mangesh,

.14 is already active? the firewall is already listening for connections with a dst ip of 14?

What subnet mask is used on the outside interface?

If you have already configured the config I suggested - have you tested? have you debugged and checked the logs?

I suggst you read the below:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml

Hi Andrew,

Thanks for your feedback. I will try this tomorrow and accordingly will get back to you.

Thanking you.

Regards,

Mangesh Kamble.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: