cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2108
Views
0
Helpful
7
Replies

ASA5510 - Multiple external IPs and 2 internal LANs

grosvenornz
Level 1
Level 1

Hi guys,

I've got a new ASA 5510 and plan to use it to connect two separate internal LANs to the internet.

The ISP assigned us the following IPs:

BorderIP     -     2xx.xx.xx.89

PublicIP1    -     2xx.xx.xx.19/28

PublicIP2    -     2xx.xx.xx.234/29

The two internal LANs are 192.168.100.0/24 and 10.10.100.0/24

At the moment, we have a Cisco1841 acting as the border router (IP 2xx.xx.xx.89), then a 3Com Firewall and an ASA5510 for the two internal LANS, 192.168.100.0/24 and 10.10.100.0/24, respectively.

We originally planned to replace the 3Com with a new ASA5510 but recently we've been having problems with the 1841.  Now we're thinking of replacing the 1841 with the new ASA5510 and remove the 3COM and the other ASA5510.  This means that a single ASA 5510 will connect the two LANs, 192.168.100.0/24 and 10.10.100.0/24, to the internet.

Now here are the questions:

1.  On the outside interface the assigned IP is 2xx.xx.xx.89 (BorderIP) and two IPs from PublicIP1 and PublicIP2 ranges were added via proxy-arp.  Using this interface configuration, can we NAT outbound traffic from 192.168.100.0/24 to 2xx.xx.xx.19 and 10.10.100.0/24 to 2xx.xx.xxx.234 so that when users from these networks browse the internet, their public IPs will be shown as coming from these IPs?

2.  Can a "proxy-arp'ed" IP address be used as a VPN endpoint or peer address?

Thanks in advance for your help guys!

2 Accepted Solutions

Accepted Solutions

Hello,

That depends upon your requirement. If you do not want the traffic to get NAT'ed when going over the VPN tunnel, then you can configure NAT-0 rules.

access-list nonat permit ip 192.168.100.0 255.255.255.0

access-list nonat permit ip 10.x.x.0 255.255.255.0

nat (inside) 0 access-list nonat

This will ensure that traffic from internal subnets go unnatted to the VPN destinations while they follow the NAT rule when accessing internet. If you want the inside hosts to use their respective NAT addresses even when going over the VPN tunnel, then you do not need to do anything (except configure crypto access-lists accordingly).

Hope this helps.

Regards,

NT

View solution in original post

Hello,

Your configuration looks good. There are few possibilities due to which this

is not working:

-- Your ISP is blocking all non-standard ports

-- You have statically mapped x.x.x.19 address to one of the server

-- The default gateway on other servers is not set to the firewall inside IP

Can you verify the above possibilities and make sure that they are

addressed. That should give us some idea on why it is not working.

Hope this helps.

Regards,

NT

View solution in original post

7 Replies 7

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,


You can use the ASA to host both Public IP addresses along with the WAN IP on the interface. As long as your ISP is ARPing for those addresses, the firewall will respond. You can use the following configuration:

global (outside) 1 2xx.xx.xx.19

global (outside) 2 2xx.xx.xx.234

nat (inside) 1 192.168.100.0 255.255.255.0

nat (inside) 2 10.10.100.0 255.255.255.0

This is assuming that both subnets are connected to your inside interface. If one of the subnets is on a different interface, then you need to change accordingly:

nat (Interface1Name) 1 192.168.100.0 255.255.255.0

nat (Interface2Name) 2 10.10.100.0 255.255.255.0

As far as your second question is concerned, you cannot use the hosted IP for VPN end points. It needs to be an address assigned to the interface.

Hope this helps.

Regards,


NT

Hi NT,

Thanks for the quick reply, this is very helpful.

I'll schedule a test as soon as possible and let you know how it goes.

Hi NT,

One more question about the VPN endpoint IP.

Since we have to use the outside interface IP of 2xx.xx.xx.89 for the site-to-site VPN, how are the VPN tunnels coming from the two LANs if their outbound IP is NAT'ed to the "arp'ed" ones?  For instance, how would traffic flow though VPN tunnels coming from the 192.168.100.0/24 network to a remote site since outbound traffic will be NAT'ed to 2xx.xx.xx.19?

Thanks!

Hello,

That depends upon your requirement. If you do not want the traffic to get NAT'ed when going over the VPN tunnel, then you can configure NAT-0 rules.

access-list nonat permit ip 192.168.100.0 255.255.255.0

access-list nonat permit ip 10.x.x.0 255.255.255.0

nat (inside) 0 access-list nonat

This will ensure that traffic from internal subnets go unnatted to the VPN destinations while they follow the NAT rule when accessing internet. If you want the inside hosts to use their respective NAT addresses even when going over the VPN tunnel, then you do not need to do anything (except configure crypto access-lists accordingly).

Hope this helps.

Regards,

NT

Hi NT,

The ASA5510 configuration (based on your suggestions) worked like a charm when I tested it this weekend..  Thanks for that!

I've got another issue though, particularly around port forwarding.

I have servers inside the 192.168.100.0/24 network that I have to access externally via RDP using the standard 3389 port, as well as ports 3394 and 3399, all NAT'ed to 3389.

Below is the part of my config that refers to this.  The NAT'ing to 192.168.100.14 works fine since it is using the default RDP port (3389).  However the rules that "port forwards" ports 3394 and 3399 to 3389 does not work.  I'm not sure what's wrong here since they've got exactly the same static rule configuration, except for the specific port translations.  BTW, 2xx.xx.xx.19 is the "proxy arp'ed' IP on the outside interface.

***********************************************************

access-list OUTSIDE_access_in extended permit tcp any host 2xx.xx.xx.19 eq 3389
access-list OUTSIDE_access_in extended permit tcp any host 2xx.xx.xx.19 eq 3394
access-list OUTSIDE_access_in extended permit tcp any host 2xx.xx.xx.19 eq 3399

static (INSIDE,OUTSIDE) tcp 2xx.xx.xx.19 3389 192.168.100.14 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 2xx.xx.xx.19 3394 192.168.100.15 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 2xx.xx.xx.19 3399 192.168.100.16 3389 netmask 255.255.255.255

***********************************************************

Is there anything I'm missing here?

Thanks again!

Hello,

Your configuration looks good. There are few possibilities due to which this

is not working:

-- Your ISP is blocking all non-standard ports

-- You have statically mapped x.x.x.19 address to one of the server

-- The default gateway on other servers is not set to the firewall inside IP

Can you verify the above possibilities and make sure that they are

addressed. That should give us some idea on why it is not working.

Hope this helps.

Regards,

NT

Hi NT,

Just would like to thank you for your valuable inputs on this issue.  I've successfully migrated the site over to the new ASA5510, replacing the 3 aforementioned firewalls.

Cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: