Solved: Cisco ASA 5510 Two public IP subnets

kimilisecco · ‎09-01-2011

Hi

I just got an extra public subnet from our ISP (co hosting center)

But I can't figure out how to use them on my ASA.

New:

IP-adresses: 87.1.1.194 - 87.1.1.254

Default gateway: 87.1.1.193

Subnetmask: 255.255.255.192

Old:

IP-adresses: 200.1.1.34 - 200.1.1.46

Default gateway: 200.1.1.33

Subnetmask: 255.255.255.240

Config:

route wan 0.0.0.0 0.0.0.0 200.1.1.33 1

And statics like:

static (interface,wan) tcp 200.1.1.37 3389 192.168.3.100 3389 netmask 255.255.255.255

Hope you understand :-)

/Kim

Collin Clark · ‎09-01-2011

Kim-

Your ISP will route the new route to your link. You do not need to assign the new IP to any interface. You can create statics using the new address space and it will work because of the ISP sending the route down to you.

Example

static (interface,wan) tcp 87.1.1.194 80 192.168.3.109 80 netmask 255.255.255.255

View solution in original post

Collin Clark · ‎09-01-2011

Kim-

Your ISP will route the new route to your link. You do not need to assign the new IP to any interface. You can create statics using the new address space and it will work because of the ISP sending the route down to you.

Example

static (interface,wan) tcp 87.1.1.194 80 192.168.3.109 80 netmask 255.255.255.255

kimilisecco · ‎09-01-2011

Thanks for your fast reply!

Maybe they don't because I have tried that?

And create a dynamic nat for outgoing trafic:

global (wan) 9 87.1.1.194 netmask 255.0.0.0

nat (local-interface) 9 192.168.3.75 255.255.255.255

Anu M Chacko · ‎09-01-2011

Hi Kim,

The new route would be:

route wan 0.0.0.0 0.0.0.0 87.1.1.193 1

The static would be:

static (interface,wan) tcp 87.1.1.194 3389 192.168.3.100 3389 netmask 255.255.255.255

The outside IP address of the ASA will be:

ip address 255.255.255.192

Hope this helps!

Regards,

Anu

Collin Clark · ‎09-01-2011

Note this is an additional address space, Kim is not replacing her current one.

kimilisecco · ‎09-01-2011

Collin Clark is right I'm not going to replace my addresses.

But I'm not a female

Collin Clark · ‎09-01-2011

So sorry Kim, I should not have made that assumption.

Ulrik Thorup · ‎09-01-2011

I will listen in on this discussion as we have a similar problem.

We have an ASA with two public IP net. We are a RIPE LIR so we have a little more "control" over assigning the IP net.

Basically we made two IP net in our edge router. Each IP net is forwarded to the ASA on two different VLANs. We have made two outside interfaces on the ASA - one for each IP net (VLAN).

It is no secret that the ASA only support one default gateway, so we route all traffic to the default gateway in the ASA. But when we do static NAT for a server on the second IP net, we would like the server to access the Internet with the static IP. For now, we didn't have success from the server to the Internet. But we can access the server from the outside on the static IP with eg. RDP. So, there is some kind of traffic one way.

This is probably a NAT or routing issue because if we set the server to DHCP we have Internet access in and out immediately (of course on the default gateway).

Collin Clark · ‎09-01-2011

Ulrik-

You want to do Policy Based Routing (PBR), but he ASA doesn't support that yet (I heard it is coming though). The problem is that the server wants to use the default gateway instead of the static out your second subnet. You need a way to tell it to use that that one instead of the default gateway.

Ulrik Thorup · ‎09-01-2011

Hi Collin.

That would be very nice if Cisco implemented PBR on the ASA platform

Actually we are in dialog with TAC who says it should possible. They made some configuration today. A packet tracing and capture showed it should work as we wanted - but it didn't. I had to leave our office so we couldn't test more, but will continue on Monday.

/Ulrik

Sent from Cisco Technical Support iPhone App

kimilisecco · ‎09-01-2011

Output from:

packet-tracer input local-interface tcp 192.168.3.75 5000 8.8.8.8 5000

Result:

input-interface: local-interface

input-status: up

input-line-status: up

output-interface: wan

output-status: up

output-line-status: up

Action: allow

kimilisecco · ‎09-02-2011

Should I add a subinterface on the WAN interface?

I can get my ISP to route the range to my wan interface, but that not what I want.

Because another company should have thier own router on our connetion. So that company can use some of our new addresses. And we can use the rest.

Collin Clark · ‎09-02-2011

The provider would have to provide trunking on their end. If they do that will work.

kimilisecco · ‎09-02-2011

Okay, thats not a good idea then.

Any more ideas why this not working?

Collin Clark · ‎09-02-2011

So the old address space does not work with a static? Have you tried an outgoing pat as a test?