Two public networks on ASA outside interface

Answered Question
Oct 3rd, 2008

Greetings, we have an MPLS network configured, the head office has a 10Mbit Ethernet circuit comming into the HQ which is split into two dot1q vlans. This link terminates on a 3825 ISR.

The internet vlan is bridged from the router onto the outside interface of the firewall which isnt a problem...however the ISP has provided two address blocks

A /30 for the dot1q Vlan internet link and a /28 for external business services such as SMTP.

Now currently i have the /30 terminated on the outside of the firewall, if i setup NAT statements on the firewall for the /28 range and get the ISP to route to the /28 network through the /30 network would this work ok.

If configs are needed please let me know.

We were going to use a common gateway initially but the customer wants both the firewall and router connected to the internal network, at present the /30 is bridged onto f0/0/0 which connects to the outside of the asa.

The other options i was considering was to assign the /30 address to g0/1.1001 being 193.***.***.170 255.255.255.252 and then assign the first avaliable address in the /28 range to vlan 1 then the next address in the /28 range to the outside of the firewall.

ASA

interface ethernet 0/0

ip address 193.***.***.170 255.255.255.252

nameif outside

security-level 0

!

interface ethernet 0/1

ip address 10.171.41.252 255.255.255.0

nameif inside

security-level 90

!

route inside 10.170.0.0 255.255.255.0 10.171.41.1

route inside 10.171.0.0 255.255.255.0 10.171.41.1

route outside 0.0.0.0 0.0.0.0 195.***.***.169

ISR

interface GigabitEthernet0/0

no ip address

media-type rj45

negotiation auto

speed auto

duplex auto

!

interface GigabitEthernet0/0.1 - Connection to Customer Internal Lan

ip address 10.171.40.1 255.255.255.0

encapsulation dot1q 1

!

interface GigabitEthernet0/0.50 - Connection to Customer Internal Lan

ip address 10.170.40.1 255.255.255.0

encapsulation dot1q 50

!

interface GigabitEthernet0/1 - Connection to MPLS Circuit

no ip address

media-type rj45

negotiation auto

speed 10

duplex full

!

interface GigabitEthernet0/1.1000 - Connection to MPLS Network

ip address 172.18.255.2 255.255.255.252

encapsulation dot1q 1000

!

interface GigabitEthernet0/1.1001 - Connection to Internet

no ip address

encapsulation dot1q 1001

bridge-group 1

!

interface FastEthernet0/0/0 - Connection to ASA Outside interface

speed 100

duplex full

bridge-group 1

!

interface FastEthernet0/0/1

speed 100

duplex full

!

interface FastEthernet0/0/2

speed 100

duplex full

!

interface FastEthernet0/0/3

!

interface vlan 1

no ip address

bridge-group 1

!

ip route 0.0.0.0 0.0.0.0 10.171.40.252 - ASA Inside interface for MPLS Remote site to Internet Traffic

ip route 10.171.0.0 255.255.255.0 172.18.255.1 - Route to all other remote sites via PE

ip route 10.170.0.0 255.255.255.0 172.18.255.1 - Route to all other remote sites via PE

Regards

I have this problem too.
0 votes
Correct Answer by suschoud about 8 years 2 months ago

Now currently i have the /30 terminated on the outside of the firewall, if i setup NAT statements on the firewall for the /28 range and get the ISP to route to the /28 network through the /30 network would this work ok.

YES.

Firewall would start proxy arp'ing for the other subnet as soon as it is specified in nat statements.If isp routes to f/w for this other subnet,everything would work well.

Regards,

Sushil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
suschoud Fri, 10/03/2008 - 13:34

Now currently i have the /30 terminated on the outside of the firewall, if i setup NAT statements on the firewall for the /28 range and get the ISP to route to the /28 network through the /30 network would this work ok.

YES.

Firewall would start proxy arp'ing for the other subnet as soon as it is specified in nat statements.If isp routes to f/w for this other subnet,everything would work well.

Regards,

Sushil

Actions

This Discussion