Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5510 as Verizon gateway for multiple public IP's

Hello, This might be a trivial question but I never before used ASA5510 this way. I know ASA5510 is not a typical router.

Here is the scenario:

1) Point to point connection to ISP (mask /30) - Configured on Ethernet 0/0

2) Group of public IP's (mask /28) - Configured on Ethernet 0/1

 

Can ASA5510 be configured as "main gateway" to ISP? There will be no private IP's involved. On the Ethernet 0/1 side there will be couple of servers that will use Public IP's (62.62.208.226-238, with gateway: 62.62.208.225).

Please see attachment and configuration. Unfortunately I'm unable to test on live environment that's why I would like to know ahead if that's possible and I want to be sure that attached configuration is correct.

Thank you!

 

: Saved
: Written by enable_15 at 13:33:42.769 EDT Sun Jun 22 2014
!
ASA Version 9.1(5)
!
hostname VERIZON-Test

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

names
!
interface Ethernet0/0
 nameif Verizon-OUT
 security-level 0
 ip address 210.210.2.174 255.255.255.252
!
interface Ethernet0/1
 description Verizon Access
 nameif Verizon-IN
 security-level 0
 ip address 62.62.208.225 255.255.255.224
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network Verizon-GATEWAY
 host 210.210.2.173
pager lines 24
logging asdm informational
mtu Verizon-OUT 1500
mtu Verizon-IN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route Verizon-OUT 0.0.0.0 0.0.0.0 210.210.2.173 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

: end

 

Everyone's tags (1)
3 REPLIES

This is possible but you have

This is possible but you have to make sure that your ISP is routing 62.62.208.226-238 to your ASAs outside interface.

If this is the case then the ASA will act like a normal router and see that the subnet is connected to its Eth0/1 interface and forward traffic to it.  Now if you require that users on the internet need access to the servers then you would need to apply ACLs to the outside interface allowing such traffic.  NAT is not needed as these server IPs are publically routed IPs.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Community Member

Thanks for your answer. It

Thanks for your answer. It took me a while to test it because Verizon didn't route my IP's properly. 

I'm up and running. Would I still need to put access list if I already allowed traffic between interfaces with same security level?

same-security-traffic permit inter-interface

This box is used as a transparent device.

Just to be a little picky a

Just to be a little picky smiley a transparent device is one that does not decrease the hop count of a packet...so technically it is not a transparent device and is being used as a plain old router.

which leads to the question, why did you decide to use an ASA if you were not going to filter traffic?

But to answer your question, no you would not need an ACL to permit traffic between two interfaces with the same security level when you have the same-security-traffic permit inter-interface command configured.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
211
Views
0
Helpful
3
Replies
CreatePlease to create content