Solved: CISCO ASA 5510 - Configuring with a range of public IP Addresses - Page 2

unrealone1 · ‎12-04-2013

Hi all,

I currently have an ASA 5510 firewall which is configured with 1x usable public IP address, which has a different default gateway/subnet to the below.

I need to keep the above and I also need to configure the firewall with the below range:

IP Range: 81.121.211.192/29

Subnet: 255.255.255.248

Gateway: 81.121.211.193 - Please use this as your default gateway.

For your use: 81.121.211.194 - 81.121.211.198 (inclusive)

Can you advise how this should be configured on the ASDM?

unrealone1 · ‎12-11-2013

like this?

unrealone1 · ‎12-12-2013

Any further thoughts?

Jouni Forss · ‎12-12-2013

Hi,

Is the IP address correct? You talk about x.x.211.x and x.x.221.x IP addresses in the above posts. Check which one is the correct public IP address and use it in the NAT and ACL configurations.

After that you can try the "packet-tracer" command

packet-tracer input outside tcp 8.8.8.8 12345 443

Post the output of the above command.

It should tell us if there is any problem with the ASA configurations

- Jouni

unrealone1 · ‎12-12-2013

Yes Public ip is correct 81.121.211.194 and lan ip is 192.168.1.221 is correct.

Thanks for the command, I ran it, see results below:

Jouni Forss · ‎12-12-2013

Hi,

It doesnt show the whole output.

Can you copy/paste the output that is shown in the Response -window.

Have you tested connection from the Internet towards this public IP address and have you chekced what happens to the connections? Have you checked that the ACLs hit counter increases as you attempt the connection from the Internet?

- Jouni

unrealone1 · ‎12-12-2013

Sorry.

See full below:

packet-tracer input outside tcp 8.8.8.8 12345 81.121.211.194 443

Result of the command: "packet-tracer input outside tcp 8.8.8.8 12345 81.121.211.194 443"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Outside) tcp 81.121.211.194 https 192.168.1.221 https netmask 255.255.255.255
match tcp Inside host 192.168.1.221 eq 443 Outside any
static translation to 81.121.211.194/443
translate_hits = 0, untranslate_hits = 34
Additional Information:
NAT divert to egress interface Inside
Untranslate 81.121.211.194/443 to 192.168.1.221/443 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface Outside
access-list WAN_access_in extended permit tcp any host 81.121.211.194 eq https
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,Outside) tcp 81.121.211.194 https 192.168.1.221 https netmask 255.255.255.255
match tcp Inside host 192.168.1.221 eq 443 Outside any
static translation to 81.121.211.194/443
translate_hits = 0, untranslate_hits = 34
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,Outside) tcp 81.121.211.194 https 192.168.1.221 https netmask 255.255.255.255
match tcp Inside host 192.168.1.221 eq 443 Outside any
static translation to 81.121.211.194/443
translate_hits = 0, untranslate_hits = 34
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1897872, packet dispatched to next module

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

unrealone1 · ‎12-13-2013

Many many Thanks Jouni for your help all up and running.

Can I just ask though, what is the difference between the below 2 configurations? Pro and cons.

(1) As a secondary range with it's own default gateway.

(2) Use an IP from your current range which is live on your network (88.121.23.246). We will then configure a route for your new range with this IP as the next-hop.

Jouni Forss · ‎12-13-2013

Hi,

Option 1 is not possible with the ASA in the above way specifically as you cant really have 2 default routes active at the same time. And as ASA has no concept of "secondary" address under its interface that means the secondary subnet is only present in the NAT configurations of the device and the ASA would use Proxy ARP to make sure that there is connectivity from the WAN to these IP addresses even though they are not configured on any interface of the ASA

I guess Option 2 is the simplest solution. The ISP would simply forward all traffic regarding the new subnet to the ASAs current WAN interface IP address and ASA would match the destination IP address to an existing NAT you have from the new subnet. Traffic would be forwarded back to the ISP using the current default route on the ASA. No additional default route needs to be added. There would be no need for ARP/Proxy ARP between the ISP gateway and ASA for this new subnet.

Glad to hear you got it working though

Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.

- Jouni

unrealone1 · ‎12-23-2013

Jouni, many thanks for sharing your knowledge and help.