12-04-2013 08:40 AM - edited 03-11-2019 08:12 PM
Hi all,
I currently have an ASA 5510 firewall which is configured with 1x usable public IP address, which has a different default gateway/subnet to the below.
I need to keep the above and I also need to configure the firewall with the below range:
IP Range: 81.121.211.192/29
Subnet: 255.255.255.248
Gateway: 81.121.211.193 - Please use this as your default gateway.
For your use: 81.121.211.194 - 81.121.211.198 (inclusive)
Can you advise how this should be configured on the ASDM?
Solved! Go to Solution.
12-13-2013 04:55 AM
Hi,
Option 1 is not possible with the ASA in the above way specifically as you cant really have 2 default routes active at the same time. And as ASA has no concept of "secondary" address under its interface that means the secondary subnet is only present in the NAT configurations of the device and the ASA would use Proxy ARP to make sure that there is connectivity from the WAN to these IP addresses even though they are not configured on any interface of the ASA
I guess Option 2 is the simplest solution. The ISP would simply forward all traffic regarding the new subnet to the ASAs current WAN interface IP address and ASA would match the destination IP address to an existing NAT you have from the new subnet. Traffic would be forwarded back to the ISP using the current default route on the ASA. No additional default route needs to be added. There would be no need for ARP/Proxy ARP between the ISP gateway and ASA for this new subnet.
Glad to hear you got it working though
Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.
- Jouni
12-04-2013 08:53 AM
Hi,
You wont have to add this configuration on your ASA other than to configure the NAT configurations that use these IP addresses.
The ISP should route this network towards your current public IP address configured on your external ASA interface. Or if they dont route the network towards your ASA then they need to configure the new public subnet as a "secondary" address range on their gateway interface.
If you are running a newer ASA software and the ISP configures the new subnet on their gateway interface towards your ASA then you will need to add this configuration command
arp permit-nonconnected
In either case, you wont need to configure the IP address on any ASA interface or configure any additional routes on the ASA.
Hope this helps
- Jouni
12-05-2013 01:55 AM
Thanks for this;
Couple of questions:
My ISP sent me this:
"
I will be allocating your additional range shortly, could you please advise how you would like this to be configured:
(1) As a secondary range with it's own default gateway.
(2) Use an IP from your current range which is live on your network (88.121.23.246). We will then configure a route for your new range with this IP as the next-hop.
"
88.121.23.246 is our current public address. What's the best way to have it setup?
12-05-2013 02:00 AM
Hi,
If you have an ASA firewall facing the ISP and the ISP has stated that they route the new public network towards your current external interface IP address then you wont need any ARP or interface/route related configurations.
You can just start configuring NAT with the new public IP addresses and start using them.
If you have doubts do a Static NAT for a test host on the internal network using a new public IP address and test connectivity.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
12-05-2013 02:59 AM
Thank you for your fast reply.
I have noticed that the ISP as put in place (1) As a secondary range with it's own default gateway.
But what is the better option to go for?
12-05-2013 04:31 AM
Hi,
Which ever way the ISP does the configuration on their end it should be enough for you to start configuring NAT using the new public IP address space.
IF the ISP has NOT routed the network towards your current external IP address of the ASA then if you have a newer ASA software you have to add the command
arp permit-nonconnected
I still don't know what software you are using on the ASA.
Have you tried configuring a test host with the new public IP address and testing if it works?
- Jouni
12-05-2013 09:02 AM
Hi Jouni,
It is ASA 8.2(5)
ASDM 6.4(5)
The ISP has NOT routed it towards the existing. I am using the ASDM, can you provide instructions as to how this should be configured?
12-05-2013 09:16 AM
Hi,
Would seem to me that you just start configuring NAT with the new public subnet just like you have done so far for the existing public subnet you are using already.
You should NOT need any extra configurations, just start configuring NAT using those IP address as needed and test connectivity.
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
12-11-2013 06:10 AM
Hi Jouni,
Sorry for slow reply.
I need to get this configured,
Do I need to configure a new interface on my asa5510 since my ISP is NOT routing towards my existing public ip?
I only have 2 available WAN ports on the asa5510, but 5 usuable public ip addresses.
For your use: 81.121.211.194 - 81.121.211.198 (inclusive)
IP Range: 81.121.211.192/29
Subnet: 255.255.255.248
Gateway: 81.121.211.193
12-11-2013 06:14 AM
Hi,
You should not need any new interface or route configurations on the ASA.
I assume that you have gotten the public IP address range to be used as NAT IP address on the ASA? If so then you should be able to configure them on the ASA if the ISP has configured their portion.
As I suggest before, I would put some test laptop on the LAN network and configure NAT for it using the new public IP address range and testing connectivity.
- Jouni
12-11-2013 06:24 AM
"I assume that you have gotten the public IP address range to be used as NAT IP address on the ASA?"
How do I do this? Ask my ISP?
12-11-2013 06:29 AM
Hi,
You dont have to ask the ISP for anything if they have already configured their part. You have mentioned that they have configured the new public subnet on their end as a "secondary" network? If this is true then it should be usable at the moment.
Again I would suggest that you configure Static NAT using one of the new public IP address for some test host on the LAN and actually test traffic.Configuring NAT with the original public IP address space you had and this new one isnt in any way different.
- Jouni
12-11-2013 09:03 AM
Hi,
Internally I can telnet to 192.168.1.221 on 443
But I am not able to telnet to 81.121.211.194 externally.
I have added the above nat rule, anything I need to do?
12-11-2013 09:12 AM
Hi,
You would have to add an "access-list" rule on the external interfaces ACL to allow traffic to this host that has the NAT.
Seems you have configured Static PAT (Port Forward) for port TCP/443
- Jouni
12-11-2013 09:18 AM
Yes I want to forward public traffic for 443 to 81.121.221.194 which Nats to 192.168.1.221
on the ASDM, do I just need to add an access rule?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide