cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2046
Views
0
Helpful
20
Replies

Traffic to different wan ip's

m1kkel1984
Level 1
Level 1

Hello guys.

I have asa5510 sec plus.

Im new to cisco.

WAN IP: 77.68.136.96 - 77.68.136.102

Is it possible to send traffic from internal host like: 192.168.10.31 out through another WAN ip than the one bound to interface "outside" ?

I tried it with this command:

nat (dmz) 2 192.168.10.31 255.255.255.255
global (outside) 2 77.68.136.97 netmask 255.255.255.255

nat (dmz) 3 192.168.10.40 255.255.255.255
nat (dmz) 3 192.168.10.41 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255

and so on

But it doesnt seem to work.. actually the hosts cannot acces the internet at all.. outside interface level 0, dmz interface level 90, so theres n o need to make accesslist from DMZ to outside, right?

20 Replies 20

Jennifer Halim
Cisco Employee
Cisco Employee

Definitely can. What you have configured is correct.

Just have to make sure that proxy arp is enabled on the outside interface.

Just check: "sh run sysopt" output, if you don't see "sysopt noproxyarp outside" command, that means proxy arp is enabled.

Also perform "clear xlate" after you configure the NAT/Global pair statements.

If you have no access-list assigned to DMZ interface, traffic from DMZ to outside will be allow by default. If you have configured an access-list on DMZ interface, you would need to explicitly allow traffic from DMZ to outside.

Okay, so why should proxy arp be enabled ?

Thanks

Because those are virtual ip addresses that are not assigned to any interfaces, therefore it needs to have ARP resolution, and it would resolve to the ASA outside interface mac address when proxy arp is enabled so the router in front of the ASA can reach it.

ok i see.

Could you maybe have a look at my config file, and see if any other things are wrong ?

i have attached it.

OK, first of all, you can use overlapping public ip address for both static statement and global statement.

As per config for example: 77.68.136.97 has been used on static port address redirection statement, so you can't use 77.68.136.97 for your global statement.

---> so use a unique public ip address for your global statement.

Secondly, from the config, it seems that you have a lot of NAT statements. Traffic matches the NAT statement from top to bottom, not the longest ip address/subnet matches. If you do "sh run nat", you would see the list of NAT statement, and the order of how you configure it on the ASA would be the first match.

The reason why i have a lot of nat statements is because i have a lot of servers on the DMZ wich have different wan ip's applied to them, and therefore port 25 traffic to ip .98 is forwarded to the host that the .98 ip is attached to, the same with .99 ip and so on.

Maybe there is a better way to handle this?

We are a small hosting provider and we host terminalservers and exchangeservers, and each customer have it own virtual server, and wan ip. You get the point...

Yes, I understand what you are trying to achieve.

However, on ASA, public ip that has been assigned to static statement, can not be assigned to the global statement. They can't overlap.

And in regards to the NAT statements, as mentioned earlier, it works top to bottom. So if you have the following list for example ("sh run nat" order - order as you configured the nat statements):

nat (dmz) 100 192.168.10.0 255.255.255.0

nat (dmz) 2 192.168.10.31 255.255.255.255

nat (dmz) 3 192.168.10.40 255.255.255.255

If traffic is sourced from 192.168.10.31 for example, it will match the first nat statement instead of the second nat statement because nat is matched from top to bottom, ie: it will match line 1 first - "nat (dmz) 100 192.168.10.0 255.255.255.0".

If you would like traffic to match the second nat statement for traffic sourcing from 192.168.10.31, then you would need to remove the first line and reapply the first line, because when you remove the nat and reapply the line, it will be added to the bottom of the NAT list.

For example: if you remove "nat (dmz) 100 192.168.10.0 255.255.255.0", and reapply the same statement, the order from the above list will be as follows:

nat (dmz) 2 192.168.10.31 255.255.255.255

nat (dmz) 3  192.168.10.40 255.255.255.255

nat (dmz) 100 192.168.10.0 255.255.255.0

Then traffic sourcing from 192.168.10.31 will now match the first line "nat (dmz) 2 192.168.10.31 255.255.255.255"

Ok i see.

May i return when i have fixed my conf? So you can read it before i apply, and take down out old router?

Sure..

Okay thanks.

I fixed up my conf, can you verify that everything is correct, or do you need more info from me ?

Hey - did you have the time to verify my conf is correct ?

Regards Mikkel

To start with, you don't need these 2 route statements:

route inside 192.168.0.0 255.255.255.0 192.168.0.1
route dmz 192.168.10.0 255.255.255.0 192.168.10.1

For the NAT statements, please send the output of the following:

sh run nat

sh run static

sh run global

As mentioned, the order needs to be as how you enter the NAT line into the configuration, therefore the output of the above will show.

And please also confirm that you are trying to achieve the following as per your original post:

nat (dmz) 2 192.168.10.31 255.255.255.255
global (outside) 2  77.68.136.97 netmask 255.255.255.255

nat (dmz) 3 192.168.10.40 255.255.255.255
nat  (dmz) 3 192.168.10.41 255.255.255.255
global (outside) 3  77.68.136.98 netmask 255.255.255.255

Allright im back.

Im trying to apply my config, but it fails different places.

First:

(trying to send everything else that does not match rules out through wan interface)

nat (dmz) 100 192.168.10.0 255.255.255.0
global (outside) 100 interface
ERROR: global for this range already exists

Second:

ciscoasa(config)# static (dmz,outside) tcp 77.68.136.32 25 192.168.10.34 25 ne$
ciscoasa(config)# static (dmz,outside) tcp 77.68.136.33 25 192.168.10.34 25 ne$
ERROR: duplicate of existing static
  TCP DMZ:192.168.10.34/25 to outside:77.68.136.32/25 netmask 255.255.255.255

Why am i reciving that error ? It occours after first static rule is applied. Im trying to send traffic from different wan ip's (port 25) into out spamgateway..

Best regards Mikkel

Yes, you already have "global (outside) 1 interface", so you can't configure two global statements to use the same ip address (interface). Hence you are getting the error when applying "global (outside) 100 interface"

For the static statements, you can't configure static port address redirection for the same port (TCP/25) and same internal/private ip address.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: