ASA5505 - two public IP networks?

Unanswered Question
Aug 26th, 2010
User Badges:

     Hi

I am in a somewhat exotic scenario, and trying to figure out if what I want is possible.


We are allocated a public network: 192.87.30.0/24.


We have got two networks : Office (192.87.30.128/26) and Dev (192.87.30.192/26). Both networks include their own gateways. We do not run any NAT whatsoever.

I have bought an ASA 5505 and would like to set it up so that remote users can set-up a VPN using AnyConnect, and that they get put in one of the two networks.(note: This could be a choice upon connection, but I already confirmed that I can use our Radius server to force this based on specific group membership).


My first 'problem' is that we do not have any concept of 'inside' or 'outside' networks, everything is public IP, and computers are protected by access lists on our Cat3750.

I started by picking one of our two networks and designating that as 'office' (instead of 'internal'), assigned a free IP in that network, made sure it was reachable from the internet. For this I had to set up a static route to the Office gateway (192.87.30.129). After setting up the certificates etc I was able to log in with the AnyConnect client. The client then also uses 192.87.30.129 as the default gateway. So far so good.


Now I add another vlan interface fro use with the Dev network. I also assign a free IP from that network. Now I am stuck. If I connect to that IP my traffic is routed via the other network because of the static routes.


My question is hence: it is possible to connect the ASA to two different public networks, have clients connect to it, and have all their traffic run through those networks?


I hope my story makes sense, if not please ask ;-)


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Thu, 08/26/2010 - 06:04
User Badges:
  • Cisco Employee,

Hello,


Can you please draw up a simple network diagram explaining the way things

are connected?


Regards,


NT

Atri Basu Thu, 08/26/2010 - 06:13
User Badges:
  • Cisco Employee,

Hey Dyonisius,


Please provide a network diagram indicating how your network is set up and how you would like the clients to connect.


Regards,

Atri

dyonisiusnmvisser Thu, 08/26/2010 - 07:52
User Badges:

This is what I would like to do. Two networks connected to the ASA. I pick one address for users to connect to: 192.87.30.199.

I would like them to be able to use one of the two networks and tunnel all their traffic through it.

Nagaraja Thanthry Thu, 08/26/2010 - 07:54
User Badges:
  • Cisco Employee,

Hello,


Will the ASA have another public IP (other than the two interfaces shown)?


Regards,


NT

dyonisiusnmvisser Thu, 08/26/2010 - 08:16
User Badges:

If needed yes, we could give it a 3rd IP address.

However, I think we would have to buy the security-plus license because now only 2 vlans are supported.

That is part of the reason I'm asking because if I can get it to work with the base license it would be better...

Nagaraja Thanthry Thu, 08/26/2010 - 11:11
User Badges:
  • Cisco Employee,

Hello,


Do these two subnets need to talk to each other? If no, then you do not need

to worry about security plus license.


Regards,


NT

Atri Basu Thu, 08/26/2010 - 10:22
User Badges:
  • Cisco Employee,

Hey,


So from what I understand you have 2 kinds of users: user D (dev) and user O (office). and you have the following requirement:

1. When D connects to 192.87.30.199 you want this user to be able to access only 192.87.30.192/26 n/w

2. When ) connects to 192.87.30.199 you want this user to be able to access only 192.87.30.128/26 n/w


If my understanding is correct then this should be fairly simple. As you mentioned you can use DAP to restritct which tunnel group a user connects to once. SO create 2 seperate tunnel groups , viz tunnel-group D and tunnel-group O. Definer 2 seperate group-policies for each of the tunnel-groups. Under the group-policy for D define a split-tunnel access-list which only allows access to the 192.87.30.192 and for F define one that only allows access to 192.87.30.128. For more information on how to configure split tunneling please refer to the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#maintask1


Although this link defines the process for IPSEC clients, it's the same steps for Anyconnect.


Having said this, I would say that to get optimal usage out of the ASA you should us a topology that looks something like this:

Alternately you can get a security plus licence and create a two seperate VLANs for the two networks and use one interface as the outside interface. This would be the best way to design the network.


REgards,

Atri.

dyonisiusnmvisser Thu, 08/26/2010 - 11:10
User Badges:

> 1. When D connects to 192.87.30.199 you want this user to be able to access only 192.87.30.192/26 n/w

> 2. When ) connects to 192.87.30.199 you want this user to be able to access only 192.87.30.128/26 n/w


Sort of.


When D connects to 192.87.30.199 he should be allowed access to 192.87.30.192/26, but have all the other traffic tunneled through the default gw of that network, which is 192.87.30.193.


Wen O connects to 192.87.30.199 he should be allowed access to 192.87.30.128/26, but have all the other traffic tunneled  through the default gw of that network, which is 192.87.30.129.


And I already asked permission to buy security plus lisense. The mentioned networks are already VLANs on our Catalyst 3750, so with security plus lic it might even possible to create a trunk. Will let you guys know.


Another issue is that we also have public IPv6 address space, and the mentioned split-tunnel set-up would not work as this is not (yet) supported in ASA 8.3.2. So VLAN setup would indeed be mandatory.


Thnansk

Atri Basu Thu, 08/26/2010 - 12:05
User Badges:
  • Cisco Employee,

For VPN clients there is no way to push a default gateway. If you look at the VPN adapter you will see a default gateway configured this is normally the first IP in the subnet to which the address pool belongs.


What you could try is configuring VLAN under the group-policy for each tunnel group. This defines the egress VLAN for the all traffic belonging to that group, so if you already have two separate vlans configured you can define the correct egress vlan for the correct tunnel group. For more information regarding that command please refer to the following link:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1560213


Regards

Atri.

dyonisiusnmvisser Mon, 09/06/2010 - 02:47
User Badges:

This does not work unfortunately.

I would like to put users into different VLANs, which works fine, but I also want the default gateway to be the one of that VLAN, which is not supported by Cisco.

Someone else ran into this as well:


https://supportforums.cisco.com/thread/2014994


I will have to buy an ASA for each VLAN.

Actions

This Discussion