Solved: CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 · ‎12-04-2013

Hi all,

I currently have an ASA 5510 firewall which is configured with 1x usable public IP address, which has a different default gateway/subnet to the below.

I need to keep the above and I also need to configure the firewall with the below range:

IP Range: 81.121.211.192/29

Subnet: 255.255.255.248

Gateway: 81.121.211.193 - Please use this as your default gateway.

For your use: 81.121.211.194 - 81.121.211.198 (inclusive)

Can you advise how this should be configured on the ASDM?

Jouni Forss · ‎12-13-2013

Hi,

Option 1 is not possible with the ASA in the above way specifically as you cant really have 2 default routes active at the same time. And as ASA has no concept of "secondary" address under its interface that means the secondary subnet is only present in the NAT configurations of the device and the ASA would use Proxy ARP to make sure that there is connectivity from the WAN to these IP addresses even though they are not configured on any interface of the ASA

I guess Option 2 is the simplest solution. The ISP would simply forward all traffic regarding the new subnet to the ASAs current WAN interface IP address and ASA would match the destination IP address to an existing NAT you have from the new subnet. Traffic would be forwarded back to the ISP using the current default route on the ASA. No additional default route needs to be added. There would be no need for ARP/Proxy ARP between the ISP gateway and ASA for this new subnet.

Glad to hear you got it working though

Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.

- Jouni

View solution in original post

Jouni Forss · ‎12-04-2013

Hi,

You wont have to add this configuration on your ASA other than to configure the NAT configurations that use these IP addresses.

The ISP should route this network towards your current public IP address configured on your external ASA interface. Or if they dont route the network towards your ASA then they need to configure the new public subnet as a "secondary" address range on their gateway interface.

If you are running a newer ASA software and the ISP configures the new subnet on their gateway interface towards your ASA then you will need to add this configuration command

arp permit-nonconnected

In either case, you wont need to configure the IP address on any ASA interface or configure any additional routes on the ASA.

Hope this helps

- Jouni

unrealone1 · ‎12-05-2013

Thanks for this;

Couple of questions:

My ISP sent me this:

"

I will be allocating your additional range shortly, could you please advise how you would like this to be configured:

(1) As a secondary range with it's own default gateway.

(2) Use an IP from your current range which is live on your network (88.121.23.246). We will then configure a route for your new range with this IP as the next-hop.

"

88.121.23.246 is our current public address. What's the best way to have it setup?

Jouni Forss · ‎12-05-2013

Hi,

If you have an ASA firewall facing the ISP and the ISP has stated that they route the new public network towards your current external interface IP address then you wont need any ARP or interface/route related configurations.

You can just start configuring NAT with the new public IP addresses and start using them.

If you have doubts do a Static NAT for a test host on the internal network using a new public IP address and test connectivity.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

unrealone1 · ‎12-05-2013

Thank you for your fast reply.

I have noticed that the ISP as put in place (1) As a secondary range with it's own default gateway.

But what is the better option to go for?

Jouni Forss · ‎12-05-2013

Hi,

Which ever way the ISP does the configuration on their end it should be enough for you to start configuring NAT using the new public IP address space.

IF the ISP has NOT routed the network towards your current external IP address of the ASA then if you have a newer ASA software you have to add the command

arp permit-nonconnected

I still don't know what software you are using on the ASA.

Have you tried configuring a test host with the new public IP address and testing if it works?

- Jouni

unrealone1 · ‎12-05-2013

Hi Jouni,

It is ASA 8.2(5)

ASDM 6.4(5)

The ISP has NOT routed it towards the existing. I am using the ASDM, can you provide instructions as to how this should be configured?

Jouni Forss · ‎12-05-2013

Hi,

Would seem to me that you just start configuring NAT with the new public subnet just like you have done so far for the existing public subnet you are using already.

You should NOT need any extra configurations, just start configuring NAT using those IP address as needed and test connectivity.

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

unrealone1 · ‎12-11-2013

Hi Jouni,

Sorry for slow reply.

I need to get this configured,

Do I need to configure a new interface on my asa5510 since my ISP is NOT routing towards my existing public ip?

I only have 2 available WAN ports on the asa5510, but 5 usuable public ip addresses.

For your use: 81.121.211.194 - 81.121.211.198 (inclusive)

IP Range: 81.121.211.192/29

Subnet: 255.255.255.248

Gateway: 81.121.211.193

Jouni Forss · ‎12-11-2013

Hi,

You should not need any new interface or route configurations on the ASA.

I assume that you have gotten the public IP address range to be used as NAT IP address on the ASA? If so then you should be able to configure them on the ASA if the ISP has configured their portion.

As I suggest before, I would put some test laptop on the LAN network and configure NAT for it using the new public IP address range and testing connectivity.

- Jouni

unrealone1 · ‎12-11-2013

"I assume that you have gotten the public IP address range to be used as NAT IP address on the ASA?"

How do I do this? Ask my ISP?

Jouni Forss · ‎12-11-2013

Hi,

You dont have to ask the ISP for anything if they have already configured their part. You have mentioned that they have configured the new public subnet on their end as a "secondary" network? If this is true then it should be usable at the moment.

Again I would suggest that you configure Static NAT using one of the new public IP address for some test host on the LAN and actually test traffic.Configuring NAT with the original public IP address space you had and this new one isnt in any way different.

- Jouni

unrealone1 · ‎12-11-2013

Hi,

Internally I can telnet to 192.168.1.221 on 443

But I am not able to telnet to 81.121.211.194 externally.

I have added the above nat rule, anything I need to do?

Jouni Forss · ‎12-11-2013

Hi,

You would have to add an "access-list" rule on the external interfaces ACL to allow traffic to this host that has the NAT.

Seems you have configured Static PAT (Port Forward) for port TCP/443

- Jouni

unrealone1 · ‎12-11-2013

Yes I want to forward public traffic for 443 to 81.121.221.194 which Nats to 192.168.1.221

on the ASDM, do I just need to add an access rule?