08-27-2008 05:15 AM - edited 03-09-2019 09:21 PM
Hi,
I am facing few problems with my current external ip address configured on my outside interface of ASA 5520. Due to some reason when I am trying my external ip for e.g. x.x.x.12 I am not able to access few websites but my VPN's are woking fine. But when I change it to x.x.x.14 my VPN connection offcourse goes down but I am able to access all sites which were not accessible by using that ip. Please help me out, as I am running short of Interfaces whatever I have to do is on the same interface. I want x.x.x.12 for VPN connection and x.x.x.14 for Internet access. Can someone please help me in achieving the same.
Thanking you.
Regards,
Mangesh Kamble.
CCIE R&S
08-27-2008 05:24 AM
Mangesh,
Please post the sanitised config of the 5520 for review.
Sounds like there could be conflicts in the NAT statements.
08-27-2008 06:01 AM
Hi Andrew,
Thanks for your reply, but the scenario is now I cannot take a risk of changing that ip back to x.x.x.14 by which everything is accessible but VPN getting dropped.
I want something by which my both this IP addresses are active at the same time and then I am doing some kind of filtering so that my Internet traffic will go on x.x.x.14 and all other traffic will go on x.x.x.12
Please help me out as its urgent.
Thanking you.
Mangesh Kamble.
08-27-2008 06:09 AM
You need to do something like this:-
interface outside
ip address x.x.x.12
global (outside) 1 x.x.x.14
nat (inside) 1 x.x.x.x y.y.y.y
x.x.x.x = inside IP subnet
y.y.y.y = subnet mask
the above will:-
1) Allow any remote VPN configured to connect on the .12 will now work
2) Any traffic from the inside will be natt'd to x.x.x.14 on onto the internet.
if you have internal services that are currently available from the internet via the .14 address - I suggest the below:-
static (inside,outside) z.z.z.z x.x.x.14 netmask w.w.w.w
z.z.z.z = interna server IP address
w.w.w.w = mask
The write the acl accordingly:0-
access-list danger-in extended permit tcp any host x.x.x.14 eq 80
access-list danger-in extended permit tcp any host x.x.x.14 eq 443
access-list danger-in extended permit tcp any host x.x.x.14 eq 25
or whatever
HTH>
08-27-2008 06:30 AM
Hi Andrew,
Whatever you have suggested that has already been configured for x.x.x.14, but now if I implement this ip on outside interface then my connectivity of VPN goes down as VPN is configured for x.x.x.12, which they are not ready to change. So now what they want me to do is keep outside interface with x.x.x.12 as it is so that the VPN connection is not affected. But they also want to make ip x.x.x.14 active so that Internet connection will run smoothly. They had a talk with one of the enigneer for the same and as per him its very much possible but then he asking to raise a case there and they are not ready for it so asking me to do the same. Or atleast work on the same and achieve it, can you please help me out.
Thanking you.
Regards,
Mangesh Kamble.
08-27-2008 06:36 AM
Mangesh,
Please define "make ip x.x.x.14 active so that Internet connection will run smoothly" is this from the outside in or inside out?
Do they want internal traffic to be seen on the internet as x.x.x.14 OR do they want to have services available from the internet using x.x.x.14?
08-27-2008 07:10 AM
Hi Andrew,
Please define "make ip x.x.x.14 active so that Internet connection will run smoothly" is this from the outside in or inside out?
==== Its from outside - in. but I have not yet configured this ip address anywhere, that is what I wanted to know how to configure 2 ip addresses on the same interface or just say on ASA make ip x.x.x.14 active ?
Do they want internal traffic to be seen on the internet as x.x.x.14 OR do they want to have services available from the internet using x.x.x.14?
=== They want interenet services available using x.x.x.14 and all other traffic using other ip address.
08-27-2008 07:21 AM
Do you have multiple internal servers offering services to the internet? or is there just one server offering all services?
The above depends on the required config.
08-27-2008 07:26 AM
Hi Andrew,
So far just one server present for the time being we may add another very soon. So please suggest accordingly. Specially for the current scenario on priority.
I hope by now you have understood my requirement.
Thanking you.
Regards,
Mangesh Kamble.
08-27-2008 07:34 AM
Mangesh,
OK so I would, based on the following requirements configure the below:-
static (outside,inside) y.y.y.y x.x.x.14 netmask 255.255.255.255
y.y.y.y = internal server ip address
access-list internet-services extended permit tcp any x.x.x.14 eq 80
access-list internet-services extended permit tcp any x.x.x.14 eq 25
access-list internet-services extended permit tcp any x.x.x.14 eq 443
access-group internet-services in interface outside
When you have the other internal server running you will need to remove:-
static (outside,inside) y.y.y.y x.x.x.14 netmask 255.255.255.255
and replace with:-
static (outside,inside) tcp y.y.y.y 80 x.x.x.14 80 netmask 255.255.255.255
static (outside,inside) tcp y.y.y.z 25 x.x.x.14 25 netmask 255.255.255.255
y.y.y.y = first internal server
y.y.y.z = second internal server
HTH>
08-27-2008 08:05 AM
Hi Andrew,
I do agree what you say, but my problem is I have configured x.x.x.12 on my outside interface now how get x.x.x.14 active on ASA and how to configure it (x.x.x.14) on Outside interface with keeping x.x.x.12 as it is. The configuration you said is already present but I need to make my x.x.x.14 active without touching my x.x.x.12; I cannot remove it from my outside interface.
Please help me out.
Thanking you.
Regards,
Mangesh Kamble.
08-27-2008 08:10 AM
Mangesh,
.14 is already active? the firewall is already listening for connections with a dst ip of 14?
What subnet mask is used on the outside interface?
If you have already configured the config I suggested - have you tested? have you debugged and checked the logs?
I suggst you read the below:-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml
08-27-2008 08:22 AM
Hi Andrew,
Thanks for your feedback. I will try this tomorrow and accordingly will get back to you.
Thanking you.
Regards,
Mangesh Kamble.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide