Cisco ASA 5510 Two public IP subnets

Answered Question
Sep 1st, 2011

Hi

I just got an extra public subnet from our ISP (co hosting center)

But I can't figure out how to use them on my ASA.

New:

IP-adresses: 87.1.1.194 - 87.1.1.254

Default gateway: 87.1.1.193

Subnetmask: 255.255.255.192

Old:

IP-adresses: 200.1.1.34 - 200.1.1.46

Default gateway: 200.1.1.33

Subnetmask: 255.255.255.240

Config:

route wan 0.0.0.0 0.0.0.0 200.1.1.33 1

And statics like:

static (interface,wan) tcp 200.1.1.37 3389 192.168.3.100 3389 netmask 255.255.255.255

Hope you understand :-)

/Kim

I have this problem too.
0 votes
Correct Answer by Collin_Clark about 2 years 7 months ago

Kim-

Your ISP will route the new route to your link. You do not need to assign the new IP to any interface. You can create statics using the new address space and it will work because of the ISP sending the route down to you.

Example

static (interface,wan) tcp 87.1.1.194 80 192.168.3.109 80 netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Collin_Clark Thu, 09/01/2011 - 07:32

Kim-

Your ISP will route the new route to your link. You do not need to assign the new IP to any interface. You can create statics using the new address space and it will work because of the ISP sending the route down to you.

Example

static (interface,wan) tcp 87.1.1.194 80 192.168.3.109 80 netmask 255.255.255.255

kimilisecco Thu, 09/01/2011 - 08:38

Thanks for your fast reply!

Maybe they don't because I have tried that?

And create a dynamic nat for outgoing trafic:

global (wan) 9 87.1.1.194 netmask 255.0.0.0

nat (local-interface) 9 192.168.3.75 255.255.255.255

anchacko Thu, 09/01/2011 - 07:33

Hi Kim,

The new route would be:

route wan 0.0.0.0 0.0.0.0 87.1.1.193 1

The static would be:

static (interface,wan) tcp 87.1.1.194 3389 192.168.3.100 3389 netmask 255.255.255.255

The outside IP address of the ASA will be:

ip address 255.255.255.192

Hope this helps!

Regards,

Anu

Collin_Clark Thu, 09/01/2011 - 07:35

Note this is an additional address space, Kim is not replacing her current one.

kimilisecco Thu, 09/01/2011 - 09:23

Collin Clark is right I'm not going to replace my addresses.

But I'm not a female

ulrikth74 Thu, 09/01/2011 - 13:44

I will listen in on this discussion as we have a similar problem.

We have an ASA with two public IP net. We are a RIPE LIR so we have a little more "control" over assigning the IP net.

Basically we made two IP net in our edge router. Each IP net is forwarded to the ASA on two different VLANs. We have made two outside interfaces on the ASA - one for each IP net (VLAN).

It is no secret that the ASA only support one default gateway, so we route all traffic to the default gateway in the ASA. But when we do static NAT for a server on the second IP net, we would like the server to access the Internet with the static IP. For now, we didn't have success from the server to the Internet. But we can access the server from the outside on the static IP with eg. RDP. So, there is some kind of traffic one way.

This is probably a NAT or routing issue because if we set the server to DHCP we have Internet access in and out immediately (of course on the default gateway).

Collin_Clark Thu, 09/01/2011 - 13:55

Ulrik-

You want to do Policy Based Routing (PBR), but he ASA doesn't support that yet (I heard it is coming though). The problem is that the server wants to use the default gateway instead of the static out your second subnet. You need a way to tell it to use that that one instead of the default gateway.

ulrikth74 Thu, 09/01/2011 - 14:16

Hi Collin.

That would be very nice if Cisco implemented PBR on the ASA platform

Actually we are in dialog with TAC who says it should possible. They made some configuration today. A packet tracing and capture showed it should work as we wanted - but it didn't. I had to leave our office so we couldn't test more, but will continue on Monday.

/Ulrik

Sent from Cisco Technical Support iPhone App

kimilisecco Thu, 09/01/2011 - 23:14

Output from:

packet-tracer input local-interface tcp 192.168.3.75 5000 8.8.8.8 5000

Result:

input-interface: local-interface

input-status: up

input-line-status: up

output-interface: wan

output-status: up

output-line-status: up

Action: allow

kimilisecco Fri, 09/02/2011 - 02:52

Should I add a subinterface on the WAN interface?

I can get my ISP to route the range to my wan interface, but that not what I want.

Because another company should have thier own router on our connetion. So that company can use some of our new addresses. And we can use the rest.

Collin_Clark Fri, 09/02/2011 - 05:41

The provider would have to provide trunking on their end. If they do that will work.

kimilisecco Fri, 09/02/2011 - 09:22

Okay, thats not a good idea then.

Any more ideas why this not working?

Collin_Clark Fri, 09/02/2011 - 11:59

So the old address space does not work with a static? Have you tried an outgoing pat as a test?

kimilisecco Fri, 09/02/2011 - 12:41

It works fine:

static (local-interface,wan) tcp 200.1.1.36 smtp 192.168.3.25 smtp netmask 255.255.255.255

Outgoing PAT?

Like:

global (wan) 9 87.1.1.194

nat (local-interface) 9 192.168.3.75

?

kimilisecco Fri, 09/02/2011 - 12:54

I have set up an test server on 192.168.3.75, that have to use one of the new addresses.

So setting these commands:

global (wan) 9 87.1.1.195

nat (Servercentral) 9 192.168.3.75 255.255.255.255

But there no link to outside, from the server.

creggerd Fri, 09/02/2011 - 17:52

Kim, first, your ISP needs to route the new address range to your circuit. Next, what do the routes on your router look like? If not running BGP it should look something like:

Ip route (range 1) pointing to ASA

Ip route (range 2) pointing to ASA

Ip route 0.0.0.0 0.0.0.0 pouting to your ISP circuit

You mentioned someone else sharing that IP range, how did you plan on doing that? Are they another interface on your ASA or on the same router? If the same router, you'd have to split that range.

On the ASA you can do either and static translation, or pat like your other range.

Hope that helps.

Sent from Cisco Technical Support iPad App

kimilisecco Sat, 09/03/2011 - 01:12

I have:

Gateway of last resort is 200.1.1.33 to network 0.0.0.0

C    200.1.1.32 255.255.255.240 is directly connected, wan

S*   0.0.0.0 0.0.0.0 [1/0] via 200.1.1.33, wan

I have removed the directly connected routes to my interfaces in this output.

As a test we have set an L2 switch in front of our ASA, where thier router is connected, and they can use some of our unused IPs from the old range. That works fine.

I hoped that it was that simple to use and spilt the new IP range.

kimilisecco Wed, 09/07/2011 - 04:37

Case closed!

The IP range the ISP gave me was wrong and will never work they told me.

So got a new range, and every thing works!

Actions

Login or Register to take actions

This Discussion

Posted September 1, 2011 at 7:29 AM
Stats:
Replies:22 Avg. Rating:5
Views:5578 Votes:0
Shares:0
Tags: asa_5510
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446