08-04-2010 02:22 AM - edited 03-11-2019 11:20 AM
Hello all,
following Problem:
I'm replacing an IPCOP FW with a Cisco 5505. On the IPCOP there is the Outside Interface with the ISP and an alias Interface (on the Outisde) with a second (different) IP Range from the same provider, routed to the official IP of the Firewall.
I bought the Security Plus License, but im'm still not sure, how to configure this on the ASA.
Config of the IPCOP:
-----------------------------
eth1 Link encap:Ethernet HWaddr 00:30:18:4A:17:9B
inet addr:1.1.1.1 Bcast:1.1.1.3 Mask:255.255.255.252
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:72545428 errors:0 dropped:0 overruns:0 frame:0
TX packets:51344517 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1451738029 (1384.4 MB) TX bytes:3806884674 (3630.5 MB)
Interrupt:10 Base address:0x4000
eth1:0 Link encap:Ethernet HWaddr 00:30:18:4A:17:9B
inet addr:2.2.2.1 Bcast:1.1.1.3 Mask:255.255.255.252
UP BROADCAST RUNNING MTU:1500 Metric:1
Interrupt:10 Base address:0x4000
eth1:1 Link encap:Ethernet HWaddr 00:30:18:4A:17:9B
inet addr:2.2.2.2 Bcast:1.1.1.3 Mask:255.255.255.252
UP BROADCAST RUNNING MTU:1500 Metric:1
Interrupt:10 Base address:0x4000
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.1.1.1 0.0.0.0 255.255.255.252 U 0 0 0 eth1
2.2.2.1 0.0.0.0 255.255.255.252 U 0 0 0 eth1
2.2.2.2 0.0.0.0 255.255.255.252 U 0 0 0 eth1
0.0.0.0 1.1.1.2 0.0.0.0 UG 0 0 0 eth1
Can somebody please help me with this.
I'm pretty new on the Cisco ASA's. :-(
Best Regards
08-04-2010 03:08 AM
You don't really have to configure anything to route the second range of public ip subnet to your ASA. As long as you route the second public range towards the ASA outside interface ip address, that would do.
Then you can use the second public address range for NATing, etc, etc, and the ASA will proxy ARP for those address range once you configured them.
Hope that helps.
08-04-2010 03:36 AM
hi,
can you please give me a short example?
do you mean, that i need to route the 2.2.2.1 for example to the public ip of the asa (outside interface)?
thank you
08-04-2010 05:33 AM
Yes, you are absolutely correct.
Here is a sample topology:
10.1.1.1 - inside (ASA) outside - 200.1.1.1 -- 200.1.1.2 gateway router -- Internet
From the above sample topology, say if you have a second public range of 100.1.1.0/24, you would need to configure the gateway router with the following route:
ip route 100.1.1.0 255.255.255.0 200.1.1.1
Hope that helps.
08-04-2010 08:20 AM
hi,
that helps.
how would the natting look like?
we only need to allow one special offical ip to access those from the second ip range. there will be no redirect to any inside ip.
so this has to be from the outside to outside, but i guess this will cause some problems.
thank you
08-04-2010 08:23 AM
i'm sorry. there will be a redirect to the inside.
so this should work like this:
outside -> inside -> destination one of the second ip range -> static -> to the inside host
am i right?
thx
08-04-2010 08:32 AM
From the above topology, if your internal server is 10.1.1.5, and you would need to NAT it to the second range of ip on 100.1.1.5, here would be the NAT
configuration:
static (inside,outside) 100.1.1.5 10.1.1.5 netmask 255.255.255.255
And you would also need to configure the ACL accordingly for inbound access on the outside access-list.
08-04-2010 08:41 AM
08-04-2010 08:44 AM
forgot: unidirectional not in both directions
08-04-2010 08:46 AM
Oh OK, so it's ASA version 8.3 that you have.
NATing is normally done from the direction of inside host, and static NAT works bidirectionally.
So from your ASDM, it should be as follows:
Match Criteria: Original Packet
Source Interface: Inside
Source Address: 10.1.1.5
Destination Interface: Outside
Destination Address: leave blank
Destination Service: leave blank
Action: Translated Packet
Source Address: 100.1.1.5
Destination Address: leave blank
And pls make it bidirectional.
08-04-2010 08:54 AM
ok.
but i only need the one official host to connect to the second ip range. in that case, is my configuration working or not (if bidirectional)?
08-04-2010 08:56 AM
Yes, it will.
Basically, if you only want access from 1 specific host (eg: 8.8.8.8), then you would configure that on the access-list to only allow 8.8.8.8 to access that server.
08-08-2010 11:29 PM
hi,
it didn't worked out.
i set the routing for the second range to the firewall ip of the asa, made the static nat (as desribed above) and the acl's (on the outside interface incoming to the inside ip).
maybe it's an arp problem. or does somebody else has an idea?
right now i'm getting following error message:
2 Aug 09 2010 08:26:36 106001 8.8.8.8 (allowed ip) 51821 2.2.2.1 21 Inbound TCP connection denied from 8.8.8.8/51821 to 2.2.2.1/21 flags SYN on interface outside
best regards
08-09-2010 12:14 AM
hi,
i found the error. it was the direction of the nat, as described above. first use the inside to outside direction!
but ok. right now the connection from outside is working.
thanks.
08-09-2010 12:58 AM
hi,
one more thing.
it's not possible to ping one of the "alias" ip's neither from outside nor from inside.
i'm getting following error code from the outside:
Deny inbound icmp src outside: xxx.xxx.xxx.xxx dst outside:2.2.2.1 (type 8, code 0)
there are acl's that allow incoming icmp requests on the outside interface.
how can i solve this issue?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: