Internet to DMZ access not using interface IP

Answered Question
Mar 19th, 2010
User Badges:

Hi guys,


I have an ASA 5510 and everything is just fine for now.


I'm able to setup Internet to DMZ access using outside interface address. But now I want to move the services from outside IP address to another IP address (the next one in the pool my ISP gave me).


Is it possible ?

How ?


I've tried setting a NAT rule for the new IP address and the access list entry corresponding, but this does not work.

I suppose this is not working because the new IP address does not respond to ARP requests from my ISP router. Am I right?


Any help would be welcome.


Thanks.

Correct Answer by Jon Marshall about 7 years 4 months ago

Just to go further in the discussion:

Now that I have ARP proxy on the oustide interface, this prevents me from having another device "next to" the firewall on the same subnet(as opposed to "behind").True?


No, not true. The firewall will only respond to IPs it has been configured for. If you configured the whole subnet, in terms of static translations then yes you would have problems if you then allocated one of the IPs to a device next to the firewall.


However if you have 3 IPs eg. 1.1.1.10/11/12 and you had static statements on your firewall for 1.1.1.10 & 11 you could stil allocate 1.1.1.12 to the other device because the firewall will not respond to arp requests for that address.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Fri, 03/19/2010 - 12:57
User Badges:
  • Purple, 4500 points or more

Once you make the change you will need to clear your NAT translations. You can so that with


clear xlate


Hope it helps.

ankama_network Mon, 03/22/2010 - 06:45
User Badges:

Hi again,


As I expected, it just cut all connections, but it did not solve anything.


Regarding into the logs, nothing is logged for the IP I set when I try to SSH on it (that's the port I wanna join from outside).


As a precision, the firewall is working in routed mode.

Jon Marshall Mon, 03/22/2010 - 07:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you post the firewall config togther with the details of the IP address you are trying to NAT and to what address you are Natting.


Also for future reference instead of just "clear xlate" which will indeed cut all connections, you can specify the exact xlate you want to clear.


Jon

ankama_network Mon, 03/22/2010 - 07:30
User Badges:

I won't post my config here because :

     -it is huge

     -I will have to mask a couple of things and that's boring

     -this won't help anyone (would my config give a clue on such a generic question ?!!!)


Let's say I have the IP block 1.2.3.0/24. My outside interface is 1.2.3.1.

I wanna use 1.2.3.2 for my DMZ server to respond (on the outside interface using NAT between DMZ and outside).

If you need numbers, just let's say my DMZ is 192.168.1.0/24 and that my server is 192.168.1.1


As I said I already successfully had my DMZ server serving using interface IP, but when I translate the rules for the new IP, this just give nothing (no service and no log).


My question is so simple :

how do you configure that behavior?


Another way to explain what I wanna do :

How to handle multiple IP addresses on a single outside interface (so more that 1 server can respond to a given port)?

Jon Marshall Mon, 03/22/2010 - 09:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I won't post my config here because :

     -it is huge

     -I will have to mask a couple of things and that's boring

     -this won't help anyone (would my config give a clue on such a generic question ?!!!)



Hmmm strange, you come to this forum asking for help but seem to know exactly what should and shouldn't be provided in order to help you. Perhaps you should be answering questions and not asking them.


outside IP = 1.1.1.10  (this is not the outside interface ip)

dmz IP = 192.168.5.10


static (dmz,outside) 1.1.1.10 192.168.5.10 netmask 255.255.255.255


access-list outside_in permit tcp any host 1.1.1.10 eq 80


1) the 1.1.1.10 address must be routed by your ISP to the outside interface of your firewall

2) you must have proxyarp enabled on the outside interface of your firewall for this to work. Should be enabled by default unless you have specifically disabled it (which is why i asked for your config)


I'm assuming you removed the old static translation using your outside interface address before entering the new one ?


Jon

ankama_network Mon, 03/22/2010 - 11:11
User Badges:

Jon,


Thank you very much.

That was obvious : in order to get the ASA answer for a request that is not destinated to it, enable proxy ARP on the desired interface.


So it's now working as expected.


You will notice you did not need my conf at all


So to answer my own question :

     -have a valid NAT rule

     -have a valid access rule

     -enable ARP proxy on the outside interface so the device will respond to ARP requests not destinated to it


I did not enabled this feature because it is an "interface wide" parameter, without the possibility to have an override for explicit parameters(as far as I know, see my last question). I thought the ASA would do the "magic" (I hate that, I'm a supporter of "explicit is good") for me, as it like to do so in many situations (like responding to ping on the outside when enabling SSL VPN among others, if you guys have solutions or explanation on that...)



Just to go further in the discussion:

Now that I have ARP proxy on the oustide interface, this prevents me from having another device "next to" the firewall on the same subnet(as opposed to "behind").True?


Thanks again

Correct Answer
Jon Marshall Mon, 03/22/2010 - 11:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Just to go further in the discussion:

Now that I have ARP proxy on the oustide interface, this prevents me from having another device "next to" the firewall on the same subnet(as opposed to "behind").True?


No, not true. The firewall will only respond to IPs it has been configured for. If you configured the whole subnet, in terms of static translations then yes you would have problems if you then allocated one of the IPs to a device next to the firewall.


However if you have 3 IPs eg. 1.1.1.10/11/12 and you had static statements on your firewall for 1.1.1.10 & 11 you could stil allocate 1.1.1.12 to the other device because the firewall will not respond to arp requests for that address.


Jon

ankama_network Mon, 03/22/2010 - 13:39
User Badges:

That's terrific


I'm not using that scenario but I could one day or another.


Thank you Jon again.

Actions

This Discussion