Traffic to different wan ip's

Unanswered Question
May 4th, 2010
User Badges:

Hello guys.


I have asa5510 sec plus.


Im new to cisco.


WAN IP: 77.68.136.96 - 77.68.136.102


Is it possible to send traffic from internal host like: 192.168.10.31 out through another WAN ip than the one bound to interface "outside" ?


I tried it with this command:


nat (dmz) 2 192.168.10.31 255.255.255.255
global (outside) 2 77.68.136.97 netmask 255.255.255.255



nat (dmz) 3 192.168.10.40 255.255.255.255
nat (dmz) 3 192.168.10.41 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255


and so on


But it doesnt seem to work.. actually the hosts cannot acces the internet at all.. outside interface level 0, dmz interface level 90, so theres n o need to make accesslist from DMZ to outside, right?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 05/04/2010 - 02:59
User Badges:
  • Cisco Employee,

Definitely can. What you have configured is correct.


Just have to make sure that proxy arp is enabled on the outside interface.


Just check: "sh run sysopt" output, if you don't see "sysopt noproxyarp outside" command, that means proxy arp is enabled.


Also perform "clear xlate" after you configure the NAT/Global pair statements.


If you have no access-list assigned to DMZ interface, traffic from DMZ to outside will be allow by default. If you have configured an access-list on DMZ interface, you would need to explicitly allow traffic from DMZ to outside.

Jennifer Halim Tue, 05/04/2010 - 03:11
User Badges:
  • Cisco Employee,

Because those are virtual ip addresses that are not assigned to any interfaces, therefore it needs to have ARP resolution, and it would resolve to the ASA outside interface mac address when proxy arp is enabled so the router in front of the ASA can reach it.

Jennifer Halim Tue, 05/04/2010 - 03:41
User Badges:
  • Cisco Employee,

OK, first of all, you can use overlapping public ip address for both static statement and global statement.


As per config for example: 77.68.136.97 has been used on static port address redirection statement, so you can't use 77.68.136.97 for your global statement.


---> so use a unique public ip address for your global statement.


Secondly, from the config, it seems that you have a lot of NAT statements. Traffic matches the NAT statement from top to bottom, not the longest ip address/subnet matches. If you do "sh run nat", you would see the list of NAT statement, and the order of how you configure it on the ASA would be the first match.

m1kkel1984 Tue, 05/04/2010 - 03:51
User Badges:

The reason why i have a lot of nat statements is because i have a lot of servers on the DMZ wich have different wan ip's applied to them, and therefore port 25 traffic to ip .98 is forwarded to the host that the .98 ip is attached to, the same with .99 ip and so on.


Maybe there is a better way to handle this?


We are a small hosting provider and we host terminalservers and exchangeservers, and each customer have it own virtual server, and wan ip. You get the point...

Jennifer Halim Tue, 05/04/2010 - 04:13
User Badges:
  • Cisco Employee,

Yes, I understand what you are trying to achieve.


However, on ASA, public ip that has been assigned to static statement, can not be assigned to the global statement. They can't overlap.


And in regards to the NAT statements, as mentioned earlier, it works top to bottom. So if you have the following list for example ("sh run nat" order - order as you configured the nat statements):


nat (dmz) 100 192.168.10.0 255.255.255.0

nat (dmz) 2 192.168.10.31 255.255.255.255

nat (dmz) 3 192.168.10.40 255.255.255.255


If traffic is sourced from 192.168.10.31 for example, it will match the first nat statement instead of the second nat statement because nat is matched from top to bottom, ie: it will match line 1 first - "nat (dmz) 100 192.168.10.0 255.255.255.0".


If you would like traffic to match the second nat statement for traffic sourcing from 192.168.10.31, then you would need to remove the first line and reapply the first line, because when you remove the nat and reapply the line, it will be added to the bottom of the NAT list.


For example: if you remove "nat (dmz) 100 192.168.10.0 255.255.255.0", and reapply the same statement, the order from the above list will be as follows:

nat (dmz) 2 192.168.10.31 255.255.255.255

nat (dmz) 3  192.168.10.40 255.255.255.255

nat (dmz) 100 192.168.10.0 255.255.255.0


Then traffic sourcing from 192.168.10.31 will now match the first line "nat (dmz) 2 192.168.10.31 255.255.255.255"

m1kkel1984 Tue, 05/04/2010 - 05:13
User Badges:

Ok i see.



May i return when i have fixed my conf? So you can read it before i apply, and take down out old router?

m1kkel1984 Fri, 05/07/2010 - 00:42
User Badges:

Hey - did you have the time to verify my conf is correct ?


Regards Mikkel

Jennifer Halim Fri, 05/07/2010 - 02:16
User Badges:
  • Cisco Employee,

To start with, you don't need these 2 route statements:

route inside 192.168.0.0 255.255.255.0 192.168.0.1
route dmz 192.168.10.0 255.255.255.0 192.168.10.1


For the NAT statements, please send the output of the following:

sh run nat

sh run static

sh run global


As mentioned, the order needs to be as how you enter the NAT line into the configuration, therefore the output of the above will show.


And please also confirm that you are trying to achieve the following as per your original post:

nat (dmz) 2 192.168.10.31 255.255.255.255
global (outside) 2  77.68.136.97 netmask 255.255.255.255



nat (dmz) 3 192.168.10.40 255.255.255.255
nat  (dmz) 3 192.168.10.41 255.255.255.255
global (outside) 3  77.68.136.98 netmask 255.255.255.255

m1kkel1984 Mon, 05/17/2010 - 05:00
User Badges:

Allright im back.


Im trying to apply my config, but it fails different places.


First:

(trying to send everything else that does not match rules out through wan interface)


nat (dmz) 100 192.168.10.0 255.255.255.0
global (outside) 100 interface
ERROR: global for this range already exists


Second:

ciscoasa(config)# static (dmz,outside) tcp 77.68.136.32 25 192.168.10.34 25 ne$
ciscoasa(config)# static (dmz,outside) tcp 77.68.136.33 25 192.168.10.34 25 ne$
ERROR: duplicate of existing static
  TCP DMZ:192.168.10.34/25 to outside:77.68.136.32/25 netmask 255.255.255.255


Why am i reciving that error ? It occours after first static rule is applied. Im trying to send traffic from different wan ip's (port 25) into out spamgateway..


Best regards Mikkel

Jennifer Halim Mon, 05/17/2010 - 05:21
User Badges:
  • Cisco Employee,

Yes, you already have "global (outside) 1 interface", so you can't configure two global statements to use the same ip address (interface). Hence you are getting the error when applying "global (outside) 100 interface"


For the static statements, you can't configure static port address redirection for the same port (TCP/25) and same internal/private ip address.

m1kkel1984 Mon, 05/17/2010 - 05:28
User Badges:

Ok i understand the global rule now.


Regarding the port 25 to the same ip address - how do we fix it then?


We have like 12 wan ip's where email (port 25) is comming to. All mail should be sent to internal ip 192.168.10.34 regardless of originating wan ip.


What to do ?

m1kkel1984 Mon, 05/17/2010 - 06:38
User Badges:

Hello once again.


I think i know how to send all smtp traffic to one internal ip.


static (dmz,outside) tcp interface 25 192.168.10.34 25 netmask 255.255.255.255


So i fixed my conf a little, fixed the rules that were failing, and the global rules. Please check again.


I also ran the commands just suggested, and here's the output.


ciscoasa(config)# sh run nat
nat (inside) 0 access-list NCT-DMZ
nat (inside) 1 192.168.0.0 255.255.255.0
nat (DMZ) 2 192.168.10.31 255.255.255.255
nat (DMZ) 4 192.168.10.34 255.255.255.255
nat (DMZ) 3 192.168.10.40 255.255.255.255
nat (DMZ) 3 192.168.10.41 255.255.255.255
nat (DMZ) 5 192.168.10.42 255.255.255.255
nat (DMZ) 6 192.168.10.43 255.255.255.255
nat (DMZ) 7 192.168.10.45 255.255.255.255
nat (DMZ) 8 192.168.10.46 255.255.255.255
nat (DMZ) 8 192.168.10.47 255.255.255.255
nat (DMZ) 8 192.168.10.50 255.255.255.255
nat (DMZ) 8 192.168.10.51 255.255.255.255
nat (DMZ) 8 192.168.10.52 255.255.255.255
nat (DMZ) 8 192.168.10.53 255.255.255.255
nat (DMZ) 8 192.168.10.54 255.255.255.255
nat (DMZ) 1 192.168.10.0 255.255.255.0




ciscoasa(config)# sh run static
static (inside,outside) tcp interface www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.0.2 1433 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.5 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.97 www 192.168.10.31 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.97 https 192.168.10.31 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.97 3389 192.168.10.31 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.98 www 192.168.10.40 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.98 https 192.168.10.40 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.98 3389 192.168.10.41 3389 netmask 255.255.255.255
static (DMZ,outside) tcp interface smtp 192.168.10.34 smtp netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.100 3389 192.168.10.42 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.101 www 192.168.10.43 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.101 https 192.168.10.43 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.101 3389 192.168.10.43 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.32 www 192.168.10.45 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.32 https 192.168.10.45 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.32 3389 192.168.10.45 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 www 192.168.10.47 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 https 192.168.10.47 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 3389 192.168.10.50 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 8093 192.168.10.51 8093 netmask 255.255.255.255


Hmm should the first 4 static come ind the end ??



ciscoasa(config)# sh run global
global (outside) 2 77.68.136.97 netmask 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255
global (outside) 4 77.68.136.99 netmask 255.255.255.255
global (outside) 5 77.68.136.100 netmask 255.255.255.255
global (outside) 6 77.68.136.101 netmask 255.255.255.255
global (outside) 7 77.68.136.32 netmask 255.255.255.255
global (outside) 8 77.68.136.33 netmask 255.255.255.255
global (outside) 1 interface




How does this look?


Ive attached my new and refined config.

Jennifer Halim Mon, 05/17/2010 - 06:42
User Badges:
  • Cisco Employee,

The NAT statements definitely look perfect, where the more specific ones are at the top, with the most general one right at the bottom.

With the static translation, the first 4 lines do not need to be moved anywhere. It's been correctly configured.

m1kkel1984 Mon, 05/17/2010 - 06:46
User Badges:

That is just amazing!


Thank you very much.



Now lets say that my spamgateway (192.168.10.34) needs to be able to communicate with 192.168.0.2 (on inside) interface, ive just created this rule:



!######################ACCESS TIL NCT FRA PROOFPOINT################
access-list DMZ-NCT extended permit ip 192.168.10.34 255.255.255.255 192.168.0.2 255.255.255.255
access-group DMZ-NCT in interface inside



Is this also correctly configured?

Jennifer Halim Tue, 05/18/2010 - 02:50
User Badges:
  • Cisco Employee,

No, since the traffic originates from DMZ, you would need to add the ACL on your current DMZ access-list which is called DMZ-PING as follows:


access-list DMZ-PING extended permit ip host 192.168.10.34 host  192.168.0.2


Plus you also need to have the following static statement:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

m1kkel1984 Tue, 05/18/2010 - 06:50
User Badges:

"Plus you also need to have the following static statement:

static  (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0"



I assume you mean;


Static (inside,dmz) 192.168.0.2 192.168.10.34 netmask 255.255.255.255


??

Actions

This Discussion