Assigning different outside IP Address on multiple VLAN

Unanswered Question
Jun 2nd, 2010
User Badges:

Hi, I have 5 usable static IP Address provided by my ISP.  I am using an ASA5505 with Security Plus firewall.  My question is, can I assign each usable IP Address to a specific VLAN so that when they go out to access the Internet, it will show that the source public IP Address is coming from that assigned IP  and not just whatever the gateway that's assigned on my route statement?  Please look at the example provided below;


     OUTSIDE IP ADDRESS                                        VLAN                                   INSIDE IP ADDRESS

     208.155.152.1                                                       1                                        192.168.1.0

     208.155.152.2                                                       3                                        192.168.2.0

     208.155.152.3                                                       4                                        192.168.3.0

     208.155.152.4                                                       5                                        192.168.4.0



Any information as to what commands should I use would greatly be appreciated.  Thank you so much.


Russell

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 06/02/2010 - 08:39
User Badges:
  • Green, 3000 points or more

Russell,


The limitation here is that the ASA 5505 running Security Plus or any other ASA in fact, will allow you to use only a single default gateway simultaneously.

You can have up to three default gateways with the same metric out the same interface (but the three next hops should belong to the same subnet).

You can have multiple backup default gateways via different interfaces (with different metrics).


What is that you're trying to accomplish?


Federico.

rmanapat Wed, 06/02/2010 - 08:55
User Badges:

Federico,


     first of all, I would like to thank you for your quick response.  Basically what I'm trying to accomplish is to separate each VLAN and have them reflect different outside IP Address.  I'm doing thing for compliancy purposes.  In the example that I provided earlier, I want everybody that's on VLAN1 to reflect 208.155.152.1 as the source outside IP Address whenever they access the internet, VLAN3 would reflect 208.155.152.2 as the source IP Address when they access the internet and the same for the rest of the VLAN's.


     Sorry if my explanation is confusing.  But if you need more information, please let me know.  Thanks again for the quick response.


Russell

Federico Coto F... Wed, 06/02/2010 - 09:03
User Badges:
  • Green, 3000 points or more

Let's see:


You can do the following:

interface vlan 1
ip address 208.155.152.1

interface vlan 2
ip address 208.155.152.2

interface vlan 3
ip address 208.155.152.3

interface vlan 4
ip address 208.155.152.4


My question is... which subnet mask will you configure on each VLAN?
Because if you configure any other subnet mask besides 255.255.255.255 you will get an overlapping error.

And, if you configure a /32bit mask, nothing else can be connected on that interface.


If your goal is for different VLANs to be seeing with different source address when they send traffic,
I would think that you can do NAT to accomplish this.


Federico.

rmanapat Wed, 06/02/2010 - 09:07
User Badges:

I think I'm referring to different VLAN reflecting different source address when they send traffic.  What would be the recommended NAT or configuration should I put on my ASA?  Thanks again.


Russell

terrygwazdosky Wed, 06/02/2010 - 09:41
User Badges:

I'm assuming all the networks are /24s?  Here's an example:


nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 208.155.152.1

!

nat (inside) 2 192.168.2.0 255.255.255.0

global (outside) 2 208.155.152.2

!

...and so on for each IP and netblock.


Please check & backup any existing NAT & Global config's before configuration.  If you're still unsure, post your config, sans sensitive information, for us to take a peek at.

rmanapat Wed, 06/02/2010 - 10:09
User Badges:

Terry,


     Thank you for your response.  I will try that and will let you know if that works for me or not.  I will not be implementing it until tommorow so let's see what happens.  Thank you again for your quick response.


Russell

Actions

This Discussion