Cisco ASA 5505 one ISP two different Ranges

Unanswered Question
Aug 4th, 2010
User Badges:

Hello all,


following Problem:

I'm replacing an IPCOP FW with a Cisco 5505. On the IPCOP there is the Outside Interface with the ISP and an alias Interface (on the Outisde) with a second (different) IP Range from the same provider, routed to the official IP of the Firewall.


I bought the Security Plus License, but im'm still not sure, how to configure this on the ASA.


Config of the IPCOP:

-----------------------------

eth1      Link encap:Ethernet  HWaddr 00:30:18:4A:17:9B 
          inet addr:1.1.1.1  Bcast:1.1.1.3  Mask:255.255.255.252
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:72545428 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51344517 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1451738029 (1384.4 MB)  TX bytes:3806884674 (3630.5 MB)
          Interrupt:10 Base address:0x4000


eth1:0    Link encap:Ethernet  HWaddr 00:30:18:4A:17:9B 
          inet addr:2.2.2.1  Bcast:1.1.1.3  Mask:255.255.255.252
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          Interrupt:10 Base address:0x4000


eth1:1    Link encap:Ethernet  HWaddr 00:30:18:4A:17:9B 
          inet addr:2.2.2.2  Bcast:1.1.1.3  Mask:255.255.255.252
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          Interrupt:10 Base address:0x4000


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
1.1.1.1   0.0.0.0         255.255.255.252 U     0      0        0 eth1

2.2.2.1  0.0.0.0         255.255.255.252 U     0      0        0 eth1
2.2.2.2  0.0.0.0         255.255.255.252 U     0      0        0 eth1
0.0.0.0  1.1.1.2   0.0.0.0         UG    0      0        0 eth1


Can somebody please help me with this.

I'm pretty new on the Cisco ASA's. :-(


Best Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Wed, 08/04/2010 - 03:08
User Badges:
  • Cisco Employee,

You don't really have to configure anything to route the second range of public ip subnet to your ASA. As long as you route the second public range towards the ASA outside interface ip address, that would do.

Then you can use the second public address range for NATing, etc, etc, and the ASA will proxy ARP for those address range once you configured them.

Hope that helps.

mceight_eight Wed, 08/04/2010 - 03:36
User Badges:

hi,

can you please give me a short example?

do you mean, that i need to route the 2.2.2.1 for example to the public ip of the asa (outside interface)?

thank you

Jennifer Halim Wed, 08/04/2010 - 05:33
User Badges:
  • Cisco Employee,

Yes, you are absolutely correct.


Here is a sample topology:


10.1.1.1 - inside (ASA) outside - 200.1.1.1 -- 200.1.1.2 gateway router -- Internet


From the above sample topology, say if you have a second public range of 100.1.1.0/24, you would need to configure the gateway router with the following route:

ip route 100.1.1.0 255.255.255.0 200.1.1.1


Hope that helps.

mceight_eight Wed, 08/04/2010 - 08:20
User Badges:

hi,

that helps.

how would the natting look like?

we only need to allow one special offical ip to access those from the second ip range. there will be no redirect to any inside ip.

so this has to be from the outside to outside, but i guess this will cause some problems.

thank you

mceight_eight Wed, 08/04/2010 - 08:23
User Badges:

i'm sorry. there will be a redirect to the inside.


so this should work like this:


outside -> inside -> destination one of the second ip range -> static -> to the inside host


am i right?


thx

Jennifer Halim Wed, 08/04/2010 - 08:32
User Badges:
  • Cisco Employee,

From the above topology, if your internal server is 10.1.1.5, and you would need to NAT it to the second range of ip on 100.1.1.5, here would be the NAT

configuration:


static (inside,outside) 100.1.1.5 10.1.1.5 netmask 255.255.255.255


And you would also need to configure the ACL accordingly for inbound access on the outside access-list.

Jennifer Halim Wed, 08/04/2010 - 08:46
User Badges:
  • Cisco Employee,

Oh OK, so it's ASA version 8.3 that you have.


NATing is normally done from the direction of inside host, and static NAT works bidirectionally.

So from your ASDM, it should be as follows:

Match Criteria: Original Packet

Source Interface: Inside
Source Address: 10.1.1.5


Destination Interface: Outside
Destination Address: leave blank
Destination Service: leave blank


Action: Translated Packet
Source Address: 100.1.1.5
Destination Address: leave blank


And pls make it bidirectional.

mceight_eight Wed, 08/04/2010 - 08:54
User Badges:

ok.

but i only need the one official host to connect to the second ip range. in that case, is my configuration working or not (if bidirectional)?

Jennifer Halim Wed, 08/04/2010 - 08:56
User Badges:
  • Cisco Employee,

Yes, it will.

Basically, if you only want access from 1 specific host (eg: 8.8.8.8), then you would configure that on the access-list to only allow 8.8.8.8 to access that server.

mceight_eight Sun, 08/08/2010 - 23:29
User Badges:

hi,

it didn't worked out.

i set the routing for the second range to the firewall ip of the asa, made the static nat (as desribed above) and the acl's (on the outside interface incoming to the inside ip).

maybe it's an arp problem. or does somebody else has an idea?


right now i'm getting following error message:



2    Aug 09 2010    08:26:36    106001    8.8.8.8 (allowed ip)    51821    2.2.2.1    21    Inbound TCP connection denied from 8.8.8.8/51821 to 2.2.2.1/21 flags SYN  on interface outside



best regards

mceight_eight Mon, 08/09/2010 - 00:14
User Badges:

hi,


i found the error. it was the direction of the nat, as described above. first use the inside to outside direction!

but ok. right now the connection from outside is working.


thanks.

mceight_eight Mon, 08/09/2010 - 00:58
User Badges:

hi,

one more thing.

it's not possible to ping one of the "alias" ip's neither from outside nor from inside.

i'm getting following error code from the outside:


Deny inbound icmp src outside: xxx.xxx.xxx.xxx dst outside:2.2.2.1 (type 8, code 0)


there are acl's that allow incoming icmp requests on the outside interface.

how can i solve this issue?

Actions

This Discussion