secondary ip scenario...solution needed

Unanswered Question
Jan 13th, 2010

we currently have a Microsoft ISA server separating our internal network from the outside. The outside NIC has a secondary ip assigned to it, so for example purposes, lets say the outside interface primary is 1.1.1.1 and the secondary is 5.5.5.5. The interface connects to a router that also has secondary ip addressing. currently, traffic can come into either range and the ISA server is setup for one-to-one NAT for both of these ip ranges, and it NATs it to an address on the inside subnet, 172.16.1.0. We need to replace our ISA with a hardware firewall solution. How would an ASA handle how the ISA is currently setup? Can it do secondary ip on the external interface, and if so, can it also handle NATn'g for both.

If not, can anyone offer any other solutions that doesn't involve having to purchase additional network equipment aside from the firewall itself? If the firewall is not capable of doing this off a single external interface, my only workaround I could think of was to add a 2nd NIC to the external router, and move the secondary ip to that new NIC. Then we could purchase an ASA that could have 2 external interfaces, one in each subnet, and connect them to their respective interfaces on the router. Would this solution work, and can an ASA5505 perform this or would we need to look at a higher end model? we want to get by with an inexpensive solution, we don't have the need for a high end firewall, but if the low end has some sort of limitation for what we need to do, then we need to know which model will support our needs. Any insight would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Wed, 01/13/2010 - 06:34

The ASA firewall can do what you are intending to do.

You can configure globals and static addresses on the ASA for IPs that do not belong to the outside interface subnet.

If you have 1.1.1.x as the ASA's outside you can certainly have static like the following

static (i,o) 5.5.5.2 10.0.0.2

static (i,o) 1.1.1.2 10.0.2.2

and so on.

So long as the router on the outside can send traffic destined to these 5.5.5.x IP addresses towards the ASA's outside interface, it should work.

-KS

mjsully Wed, 01/13/2010 - 10:35

Thanks. Can the ASA 5505 handle this, or would I need to step up to a higher end model for this Nat scenario?

also, wouldn't it still be easier if I just gave each subnet its own interface on the firewall, provided the router had an available port for the 2nd subnet? Seems to be the overall management, from both a firewall and router perspective, would be easier if we weren't utilizing the secondary ip scenario? I mean, as long as the firewall we purchase provides the capabilities, any reason not to split it to their own interfaces?

and I did split it, given the interface limitation on the 5505, wouldn't I have to create unique "vlans" for each of the outside interfaces? would the switch that sits between the outside interface and the routers inside interface have to support vlans, assuming  it was a sinlge switch? or would I have to get a separate switch to handle the 2nd "outside" interface on the firewall?

I assume I'd just set the sec-level to 0 for both outside facing interfaces?

what's the recommended practice, seeing how I have yet to purchase the hardware, now is the time for me to get it right.

thanks!

Jon Marshall Wed, 01/13/2010 - 10:51

mjsully wrote:

Thanks. Can the ASA 5505 handle this, or would I need to step up to a higher end model for this Nat scenario?

also, wouldn't it still be easier if I just gave each subnet its own interface on the firewall, provided the router had an available port for the 2nd subnet? Seems to be the overall management, from both a firewall and router perspective, would be easier if we weren't utilizing the secondary ip scenario? I mean, as long as the firewall we purchase provides the capabilities, any reason not to split it to their own interfaces?

and I did split it, given the interface limitation on the 5505, wouldn't I have to create unique "vlans" for each of the outside interfaces? would the switch that sits between the outside interface and the routers inside interface have to support vlans, assuming  it was a sinlge switch? or would I have to get a separate switch to handle the 2nd "outside" interface on the firewall?

I assume I'd just set the sec-level to 0 for both outside facing interfaces?

what's the recommended practice, seeing how I have yet to purchase the hardware, now is the time for me to get it right.

thanks

Yes, the 5505 can handle this as this is a standard feature of NAT.

No it wouldn't be easier as the ASA is not keen on multiple outside interfaces and then you have additional problems of multiple default routes via different outside interfaces. It is much simpler to have one outside interface and do the NAT as suggested by KS, and this is a very common setup.

Jon

Kureli Sankar Wed, 01/13/2010 - 10:55

ASA 5505 can handle this NAT. Pls. decide on the hardware based on how much traffic you will be pushing through it.

No. you cannot give each subnet its own interface on the ASA if they are all internet facing.  You cannot add default route for 0.0.0.0 0.0.0.0 out 3 different interfaces.  You can only add upto 3 default routes pointing to the same interface.

For example - say you had interfaces on the ASA as isp1, isp2 and isp3.

You CANNOT add

route isp1 0.0.0.0 0.0.0.0 x.x.x.x

route isp2 0.0.0.0 0.0.0.0 y.y.y.y

route isp3 0.0.0.0 0.0.0.0 z.z.z.z

You can only add the following

route outside 0.0.0.0 0.0.0.0 x.x.x.1

route outside 0.0.0.0 0.0.0.0 x.x.x.2

route outside  0.0.0.0 0.0.0.0 x.x.x.3

Here is the data sheet for the ASAs:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Your topology would look like this:

inside networks---(optional)router----ASA5510/5505----ROUTER-----ISP/Internet

-KS

mjsully Wed, 01/13/2010 - 12:28

Thank you all for the info. So if I went with a pair of 5505 (for failover), how do I set this up? Do I need to configure a vlan interface, or do I just configure the physical interface with one ip address, then add a secondary ip address to the same interface and be done with it? what is the command to do this?

I'll also be doing about 100 static NATs for each public ip range, the 1.1.1.1 and the 5.5.5.5 range. Both outside ip's ranges would map to unique inside addresses on the same inside subnet. Any special config needed here or do I simply set things up the normal method with the static (inside,outside) commands?

If you could point me to any documentation that would help me, it would be greatly appreciated! The info I'm getting is conflicting, searches for secondary ip's on asa firewalls are telling me its not supported, so I could really use some documentation and commands that say otherwise. thanks!

Jon Marshall Wed, 01/13/2010 - 13:06

mjsully wrote:

Thank you all for the info. So if I went with a pair of 5505 (for failover), how do I set this up? Do I need to configure a vlan interface, or do I just configure the physical interface with one ip address, then add a secondary ip address to the same interface and be done with it? what is the command to do this?

I'll also be doing about 100 static NATs for each public ip range, the 1.1.1.1 and the 5.5.5.5 range. Both outside ip's ranges would map to unique inside addresses on the same inside subnet. Any special config needed here or do I simply set things up the normal method with the static (inside,outside) commands?

If you could point me to any documentation that would help me, it would be greatly appreciated! The info I'm getting is conflicting, searches for secondary ip's on asa firewalls are telling me its not supported, so I could really use some documentation and commands that say otherwise. thanks!

The ASA firewalls do not support secondary addresses so you won't find docs that say otherwise. The NAT example KS gave is how you set it up and the example given did not include any secondary addressing.

Your NAT config is standard static statements.

Failover - be aware that the you need the Security Plus license and even with that the ASA 5505 does not support stateful failover ie. it only supports stateless active/standby failover. If you want stateful failover then you should be looking at the higher end ASAs.

Jon

mjsully Wed, 01/13/2010 - 16:07

ok, now I"m confused. I thought you guys said my scenario would work? I was not looking for examples how to setup one to one NAT if the interface has a single ip. that is something I am already familiar with and I can setup the NAT just fine, What I was trying to find out is whether I can add a secondary ip address to that same outside interface, have that ip a different subnet, and support the NAT for both the primary subnet and the secondary subnet. now it sounds like I cannot achieve this on an ASA, correct?

anyone know a firewall that will do this?

Jon Marshall Thu, 01/14/2010 - 03:51

mjsully wrote:

ok, now I"m confused. I thought you guys said my scenario would work? I was not looking for examples how to setup one to one NAT if the interface has a single ip. that is something I am already familiar with and I can setup the NAT just fine, What I was trying to find out is whether I can add a secondary ip address to that same outside interface, have that ip a different subnet, and support the NAT for both the primary subnet and the secondary subnet. now it sounds like I cannot achieve this on an ASA, correct?

anyone know a firewall that will do this?

Apologies for the confusion.

The ASA does not support secondary addressing on it's interfaces. However the ASA will respond to arp requests for addresses that are not configured on any of it's interfaces which seemed to be what you needed. So for example you can do this -

static (inside,outside) 195.17.17.10 192.168.5.10 netmask 255.255.255.255

any traffic destined for 195.17.17.10 will be translated by the ASA to 192.168.5.10.  Note that 195.17.17.10 does not need to be configured on any interface on the ASA. As long as the traffic for 195.17.17.10 is routed to the outside interface of the ASA then it will work.

Does this not meet your reqiurements ?

Jon

mjsully Thu, 01/14/2010 - 05:51

Thank you for the clarification. Its making more sense now. However, I'm still concerned about something. The outside interface of the pix will connect to a single Layer 2 switch that connects to a routers ethernet interface that has a primary and secondary ip address assigned, and they are both public ips, not private. For example, router primary ip is 1.1.1.1 and secondary ip of 5.5.5.5. If I cannot assign a secondary ip to the ASA, will everything work if the ASA's outside interface is 1.1.1.2 and its default route goes to the 1.1.1.1 address? does it need to know about the secondary subnet? I'm confused as to how arp will work if only the router end knows about the 5.5.5.5 subnet? Are you saying that if a packet comes in from the internet with a destination of something in the 5.5.5.x subnet, that it will make it to the firewall, and so long as I have a static statement and ACL for it, it will allow it in just the same, even though it has no knowledge of the 5.5.5.x network?

Kureli Sankar Thu, 01/14/2010 - 06:35

Correct.

If the router asks who has 5.5.5.x tell me, the firewall will respond and say "send to me".

-KS

Actions

This Discussion