Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Adding a second global address for another IP range on ASA

Hi all, I'm trying to add a second global address to my ASA 5510 (version 8.0(2)) for clients on a specific subnet.  Since it's production I'd rather not experiment.  I'd like anyone with a 10.255.255.x address to get the 172.16.0.1 (sanitized, obviously) public address.  Will adding this work? 

access-list guestVlanPolNat line 1 extended permit tcp 10.255.255.0 any

nat (inside) 2 access-list guestVlanPolNat

global (outside) 2 172.16.0.2

I already have the following in my config:

global (OUTSIDE) 1 172.16.0.1

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

Thanks,

Bill

1 ACCEPTED SOLUTION

Accepted Solutions

Adding a second global address for another IP range on ASA

Hello Bhogue,

You can do the following

nat (inside) 1 0 0

nat (inside) 2 10.255.255.0

global (outside) 1 interface

global (outside) 2 172.16.0.1

The Nat order or priority is:

Nat 0 with ACL (Nat exemption)

Static

Policy nat

Dynamic nat.

In this case we will be using Dynamic Nat for both of them, but the one more specific is going to take place first, so if a packet comes from 10.255.255.x it will be match to global (outside) 2.

Hope this helps,

Please rate helfpul posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
6 REPLIES

Adding a second global address for another IP range on ASA

Hello Bhogue,

You can do the following

nat (inside) 1 0 0

nat (inside) 2 10.255.255.0

global (outside) 1 interface

global (outside) 2 172.16.0.1

The Nat order or priority is:

Nat 0 with ACL (Nat exemption)

Static

Policy nat

Dynamic nat.

In this case we will be using Dynamic Nat for both of them, but the one more specific is going to take place first, so if a packet comes from 10.255.255.x it will be match to global (outside) 2.

Hope this helps,

Please rate helfpul posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Adding a second global address for another IP range on ASA

Hi Julio

This is what I have now:

global (OUTSIDE) 1 172.16.0.1

global (OUTSIDE) 2 172.16.0.2

nat (inside) 0 access-list nonat

nat (inside) 2 10.255.255.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

I"m still getting all traffic from the 10.255.255.0 network translated to 172.16.0.1.   Do I need to swap the nat (inside) 1 and nat (inside) 2 statements?  

Adding a second global address for another IP range on ASA

Hello,

Did you clear the xlate and local host tables??

I did a lab recreation and I got it working as expected, taking the global (outside) 2 ip add.

If you do a packet tracer like this what do you get (Please provide the output)

packet-tracer input inside tcp 10.255.255.15 1025 4.2.2.2 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Adding a second global address for another IP range on ASA

Hi Julio,

I did clear xlate and clear local and even rebooted the firewall last night.   Looking at the packet-tracer output (excellent tool BTW, will keep that one) it looks like the address should be translated correctly however when I go to a "what is my IP" site (I've tried a couple)  they still return the nat (inside) 1 global address. 


# packet-tracer input inside tcp 10.255.255.15 1025 4.2.2.2 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 2 10.255.255.0 255.255.255.0
nat-control
  match ip inside 10.255.255.0 255.255.255.0 OUTSIDE any
    dynamic translation to pool 2 (172.16.0.2)
    translate_hits = 860, untranslate_hits = 2
Additional Information:
Dynamic translate 10.255.255.15/1025 to 172.16.0.2/1038 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 2 10.255.255.0 255.255.255.0
nat-control
  match ip inside 10.255.255.0 255.255.255.0 OUTSIDE any
    dynamic translation to pool 2 (172.16.0.2)
    translate_hits = 860, untranslate_hits = 2
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 262028, packet dispatched to next module

Phase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.0.254 using egress ifc OUTSIDE
adjacency Active
next-hop mac address 000f.8f42.a7c0 hits 139739

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

New Member

Adding a second global address for another IP range on ASA

I figured out the problem.  Your initial configuration was corrrect.  Our web filter (Barracuda, inline between LAN and ASA) was was making it appear that all outgoing traffic was coming from the filter.  What is strange is that when I looked at the logs in the ASDM log viewer, they show the translation occuring correctly even though outside sites reported the public IP as 172.16.0.1. 

6Nov 23 201110:29:5830501110.255.255.1050582172.16.0.21024Built dynamic TCP translation from inside:10.255.255.10/50582 to OUTSIDE:172.16.0.2/1024

Thanks again for your help.

Adding a second global address for another IP range on ASA

Hello,

Great to hear that know everything is working.

Hope you have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
430
Views
0
Helpful
6
Replies
CreatePlease to create content