Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco ASA 5505 one ISP two different Ranges

Hello all,

following Problem:

I'm replacing an IPCOP FW with a Cisco 5505. On the IPCOP there is the Outside Interface with the ISP and an alias Interface (on the Outisde) with a second (different) IP Range from the same provider, routed to the official IP of the Firewall.

I bought the Security Plus License, but im'm still not sure, how to configure this on the ASA.

Config of the IPCOP:

-----------------------------

eth1      Link encap:Ethernet  HWaddr 00:30:18:4A:17:9B 
          inet addr:1.1.1.1  Bcast:1.1.1.3  Mask:255.255.255.252
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:72545428 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51344517 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1451738029 (1384.4 MB)  TX bytes:3806884674 (3630.5 MB)
          Interrupt:10 Base address:0x4000

eth1:0    Link encap:Ethernet  HWaddr 00:30:18:4A:17:9B 
          inet addr:2.2.2.1  Bcast:1.1.1.3  Mask:255.255.255.252
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          Interrupt:10 Base address:0x4000

eth1:1    Link encap:Ethernet  HWaddr 00:30:18:4A:17:9B 
          inet addr:2.2.2.2  Bcast:1.1.1.3  Mask:255.255.255.252
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          Interrupt:10 Base address:0x4000

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
1.1.1.1   0.0.0.0         255.255.255.252 U     0      0        0 eth1

2.2.2.1  0.0.0.0         255.255.255.252 U     0      0        0 eth1
2.2.2.2  0.0.0.0         255.255.255.252 U     0      0        0 eth1
0.0.0.0  1.1.1.2   0.0.0.0         UG    0      0        0 eth1

Can somebody please help me with this.

I'm pretty new on the Cisco ASA's. :-(

Best Regards

14 REPLIES
Cisco Employee

Re: Cisco ASA 5505 one ISP two different Ranges

You don't really have to configure anything to route the second range of public ip subnet to your ASA. As long as you route the second public range towards the ASA outside interface ip address, that would do.

Then you can use the second public address range for NATing, etc, etc, and the ASA will proxy ARP for those address range once you configured them.

Hope that helps.

New Member

Re: Cisco ASA 5505 one ISP two different Ranges

hi,

can you please give me a short example?

do you mean, that i need to route the 2.2.2.1 for example to the public ip of the asa (outside interface)?

thank you

Cisco Employee

Re: Cisco ASA 5505 one ISP two different Ranges

Yes, you are absolutely correct.

Here is a sample topology:

10.1.1.1 - inside (ASA) outside - 200.1.1.1 -- 200.1.1.2 gateway router -- Internet

From the above sample topology, say if you have a second public range of 100.1.1.0/24, you would need to configure the gateway router with the following route:

ip route 100.1.1.0 255.255.255.0 200.1.1.1

Hope that helps.

New Member

Re: Cisco ASA 5505 one ISP two different Ranges

hi,

that helps.

how would the natting look like?

we only need to allow one special offical ip to access those from the second ip range. there will be no redirect to any inside ip.

so this has to be from the outside to outside, but i guess this will cause some problems.

thank you

New Member

Re: Cisco ASA 5505 one ISP two different Ranges

i'm sorry. there will be a redirect to the inside.

so this should work like this:

outside -> inside -> destination one of the second ip range -> static -> to the inside host

am i right?

thx

Cisco Employee

Re: Cisco ASA 5505 one ISP two different Ranges

From the above topology, if your internal server is 10.1.1.5, and you would need to NAT it to the second range of ip on 100.1.1.5, here would be the NAT

configuration:

static (inside,outside) 100.1.1.5 10.1.1.5 netmask 255.255.255.255

And you would also need to configure the ACL accordingly for inbound access on the outside access-list.

New Member

Re: Cisco ASA 5505 one ISP two different Ranges

hi,

attached the way i think the natting needs to be configured via asdm.

acl is clear! :-)

thx

New Member

Re: Cisco ASA 5505 one ISP two different Ranges

forgot: unidirectional not in both directions

Cisco Employee

Re: Cisco ASA 5505 one ISP two different Ranges

Oh OK, so it's ASA version 8.3 that you have.

NATing is normally done from the direction of inside host, and static NAT works bidirectionally.

So from your ASDM, it should be as follows:

Match Criteria: Original Packet

Source Interface: Inside
Source Address: 10.1.1.5

Destination Interface: Outside
Destination Address: leave blank
Destination Service: leave blank

Action: Translated Packet
Source Address: 100.1.1.5
Destination Address: leave blank

And pls make it bidirectional.

New Member

Re: Cisco ASA 5505 one ISP two different Ranges

ok.

but i only need the one official host to connect to the second ip range. in that case, is my configuration working or not (if bidirectional)?

Cisco Employee

Re: Cisco ASA 5505 one ISP two different Ranges

Yes, it will.

Basically, if you only want access from 1 specific host (eg: 8.8.8.8), then you would configure that on the access-list to only allow 8.8.8.8 to access that server.

New Member

Re: Cisco ASA 5505 one ISP two different Ranges

hi,

it didn't worked out.

i set the routing for the second range to the firewall ip of the asa, made the static nat (as desribed above) and the acl's (on the outside interface incoming to the inside ip).

maybe it's an arp problem. or does somebody else has an idea?

right now i'm getting following error message:

2    Aug 09 2010    08:26:36    106001    8.8.8.8 (allowed ip)    51821    2.2.2.1    21    Inbound TCP connection denied from 8.8.8.8/51821 to 2.2.2.1/21 flags SYN  on interface outside

best regards

New Member

Re: Cisco ASA 5505 one ISP two different Ranges

hi,

i found the error. it was the direction of the nat, as described above. first use the inside to outside direction!

but ok. right now the connection from outside is working.


thanks.

New Member

Re: Cisco ASA 5505 one ISP two different Ranges

hi,

one more thing.

it's not possible to ping one of the "alias" ip's neither from outside nor from inside.

i'm getting following error code from the outside:

Deny inbound icmp src outside: xxx.xxx.xxx.xxx dst outside:2.2.2.1 (type 8, code 0)

there are acl's that allow incoming icmp requests on the outside interface.

how can i solve this issue?

1236
Views
0
Helpful
14
Replies
CreatePlease to create content