Cisco ASA 5505 one ISP two different Ranges

mceight_eight · ‎08-04-2010

Hello all,

following Problem:

I'm replacing an IPCOP FW with a Cisco 5505. On the IPCOP there is the Outside Interface with the ISP and an alias Interface (on the Outisde) with a second (different) IP Range from the same provider, routed to the official IP of the Firewall.

I bought the Security Plus License, but im'm still not sure, how to configure this on the ASA.

Config of the IPCOP:

-----------------------------

eth1      Link encap:Ethernet HWaddr 00:30:18:4A:17:9B
          inet addr:1.1.1.1 Bcast:1.1.1.3 Mask:255.255.255.252
          UP BROADCAST RUNNING MTU:1500 Metric:1
          RX packets:72545428 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51344517 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1451738029 (1384.4 MB) TX bytes:3806884674 (3630.5 MB)
          Interrupt:10 Base address:0x4000

eth1:0    Link encap:Ethernet HWaddr 00:30:18:4A:17:9B
          inet addr:2.2.2.1 Bcast:1.1.1.3 Mask:255.255.255.252
          UP BROADCAST RUNNING MTU:1500 Metric:1
          Interrupt:10 Base address:0x4000

eth1:1    Link encap:Ethernet HWaddr 00:30:18:4A:17:9B
          inet addr:2.2.2.2 Bcast:1.1.1.3 Mask:255.255.255.252
          UP BROADCAST RUNNING MTU:1500 Metric:1
          Interrupt:10 Base address:0x4000

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.1.1.1 0.0.0.0 255.255.255.252 U 0 0 0 eth1

2.2.2.1 0.0.0.0         255.255.255.252 U     0      0        0 eth1
2.2.2.2 0.0.0.0         255.255.255.252 U     0      0        0 eth1
0.0.0.0 1.1.1.2   0.0.0.0         UG    0      0        0 eth1

Can somebody please help me with this.

I'm pretty new on the Cisco ASA's. :-(

Best Regards

Jennifer Halim · ‎08-04-2010

You don't really have to configure anything to route the second range of public ip subnet to your ASA. As long as you route the second public range towards the ASA outside interface ip address, that would do.

Then you can use the second public address range for NATing, etc, etc, and the ASA will proxy ARP for those address range once you configured them.

Hope that helps.

mceight_eight · ‎08-04-2010

hi,

can you please give me a short example?

do you mean, that i need to route the 2.2.2.1 for example to the public ip of the asa (outside interface)?

thank you

Jennifer Halim · ‎08-04-2010

Yes, you are absolutely correct.

Here is a sample topology:

10.1.1.1 - inside (ASA) outside - 200.1.1.1 -- 200.1.1.2 gateway router -- Internet

From the above sample topology, say if you have a second public range of 100.1.1.0/24, you would need to configure the gateway router with the following route:

ip route 100.1.1.0 255.255.255.0 200.1.1.1

Hope that helps.

mceight_eight · ‎08-04-2010

hi,

that helps.

how would the natting look like?

we only need to allow one special offical ip to access those from the second ip range. there will be no redirect to any inside ip.

so this has to be from the outside to outside, but i guess this will cause some problems.

thank you

mceight_eight · ‎08-04-2010

i'm sorry. there will be a redirect to the inside.

so this should work like this:

outside -> inside -> destination one of the second ip range -> static -> to the inside host

am i right?

thx

Jennifer Halim · ‎08-04-2010

From the above topology, if your internal server is 10.1.1.5, and you would need to NAT it to the second range of ip on 100.1.1.5, here would be the NAT

configuration:

static (inside,outside) 100.1.1.5 10.1.1.5 netmask 255.255.255.255

And you would also need to configure the ACL accordingly for inbound access on the outside access-list.

mceight_eight · ‎08-04-2010

hi,

attached the way i think the natting needs to be configured via asdm.

acl is clear! :-)

thx

mceight_eight · ‎08-04-2010

forgot: unidirectional not in both directions

Jennifer Halim · ‎08-04-2010

Oh OK, so it's ASA version 8.3 that you have.

NATing is normally done from the direction of inside host, and static NAT works bidirectionally.

So from your ASDM, it should be as follows:

Match Criteria: Original Packet

Source Interface: Inside
Source Address: 10.1.1.5

Destination Interface: Outside
Destination Address: leave blank
Destination Service: leave blank

Action: Translated Packet
Source Address: 100.1.1.5
Destination Address: leave blank

And pls make it bidirectional.

mceight_eight · ‎08-04-2010

ok.

but i only need the one official host to connect to the second ip range. in that case, is my configuration working or not (if bidirectional)?

Jennifer Halim · ‎08-04-2010

Yes, it will.

Basically, if you only want access from 1 specific host (eg: 8.8.8.8), then you would configure that on the access-list to only allow 8.8.8.8 to access that server.

mceight_eight · ‎08-08-2010

hi,

it didn't worked out.

i set the routing for the second range to the firewall ip of the asa, made the static nat (as desribed above) and the acl's (on the outside interface incoming to the inside ip).

maybe it's an arp problem. or does somebody else has an idea?

right now i'm getting following error message:

2 Aug 09 2010 08:26:36 106001 8.8.8.8 (allowed ip) 51821 2.2.2.1 21 Inbound TCP connection denied from 8.8.8.8/51821 to 2.2.2.1/21 flags SYN on interface outside

best regards

mceight_eight · ‎08-09-2010

hi,

i found the error. it was the direction of the nat, as described above. first use the inside to outside direction!

but ok. right now the connection from outside is working.

thanks.

mceight_eight · ‎08-09-2010

hi,

one more thing.

it's not possible to ping one of the "alias" ip's neither from outside nor from inside.

i'm getting following error code from the outside:

Deny inbound icmp src outside: xxx.xxx.xxx.xxx dst outside:2.2.2.1 (type 8, code 0)

there are acl's that allow incoming icmp requests on the outside interface.

how can i solve this issue?