06-02-2010 08:02 AM - edited 03-11-2019 10:53 AM
Hi, I have 5 usable static IP Address provided by my ISP. I am using an ASA5505 with Security Plus firewall. My question is, can I assign each usable IP Address to a specific VLAN so that when they go out to access the Internet, it will show that the source public IP Address is coming from that assigned IP and not just whatever the gateway that's assigned on my route statement? Please look at the example provided below;
OUTSIDE IP ADDRESS VLAN INSIDE IP ADDRESS
208.155.152.1 1 192.168.1.0
208.155.152.2 3 192.168.2.0
208.155.152.3 4 192.168.3.0
208.155.152.4 5 192.168.4.0
Any information as to what commands should I use would greatly be appreciated. Thank you so much.
Russell
06-02-2010 08:39 AM
Russell,
The limitation here is that the ASA 5505 running Security Plus or any other ASA in fact, will allow you to use only a single default gateway simultaneously.
You can have up to three default gateways with the same metric out the same interface (but the three next hops should belong to the same subnet).
You can have multiple backup default gateways via different interfaces (with different metrics).
What is that you're trying to accomplish?
Federico.
06-02-2010 08:55 AM
Federico,
first of all, I would like to thank you for your quick response. Basically what I'm trying to accomplish is to separate each VLAN and have them reflect different outside IP Address. I'm doing thing for compliancy purposes. In the example that I provided earlier, I want everybody that's on VLAN1 to reflect 208.155.152.1 as the source outside IP Address whenever they access the internet, VLAN3 would reflect 208.155.152.2 as the source IP Address when they access the internet and the same for the rest of the VLAN's.
Sorry if my explanation is confusing. But if you need more information, please let me know. Thanks again for the quick response.
Russell
06-02-2010 09:03 AM
Let's see:
You can do the following:
interface vlan 1
ip address 208.155.152.1
interface vlan 2
ip address 208.155.152.2
interface vlan 3
ip address 208.155.152.3
interface vlan 4
ip address 208.155.152.4
My question is... which subnet mask will you configure on each VLAN?
Because if you configure any other subnet mask besides 255.255.255.255 you will get an overlapping error.
And, if you configure a /32bit mask, nothing else can be connected on that interface.
If your goal is for different VLANs to be seeing with different source address when they send traffic,
I would think that you can do NAT to accomplish this.
Federico.
06-02-2010 09:07 AM
I think I'm referring to different VLAN reflecting different source address when they send traffic. What would be the recommended NAT or configuration should I put on my ASA? Thanks again.
Russell
06-02-2010 09:41 AM
I'm assuming all the networks are /24s? Here's an example:
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 208.155.152.1
!
nat (inside) 2 192.168.2.0 255.255.255.0
global (outside) 2 208.155.152.2
!
...and so on for each IP and netblock.
Please check & backup any existing NAT & Global config's before configuration. If you're still unsure, post your config, sans sensitive information, for us to take a peek at.
06-02-2010 10:09 AM
Terry,
Thank you for your response. I will try that and will let you know if that works for me or not. I will not be implementing it until tommorow so let's see what happens. Thank you again for your quick response.
Russell
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide