12-04-2013 08:40 AM - edited 03-11-2019 08:12 PM
Hi all,
I currently have an ASA 5510 firewall which is configured with 1x usable public IP address, which has a different default gateway/subnet to the below.
I need to keep the above and I also need to configure the firewall with the below range:
IP Range: 81.121.211.192/29
Subnet: 255.255.255.248
Gateway: 81.121.211.193 - Please use this as your default gateway.
For your use: 81.121.211.194 - 81.121.211.198 (inclusive)
Can you advise how this should be configured on the ASDM?
Solved! Go to Solution.
12-11-2013 09:22 AM
like this?
12-12-2013 01:13 AM
Any further thoughts?
12-12-2013 01:16 AM
Hi,
Is the IP address correct? You talk about x.x.211.x and x.x.221.x IP addresses in the above posts. Check which one is the correct public IP address and use it in the NAT and ACL configurations.
After that you can try the "packet-tracer" command
packet-tracer input outside tcp 8.8.8.8 12345
Post the output of the above command.
It should tell us if there is any problem with the ASA configurations
- Jouni
12-12-2013 03:20 AM
Yes Public ip is correct 81.121.211.194 and lan ip is 192.168.1.221 is correct.
Thanks for the command, I ran it, see results below:
12-12-2013 03:30 AM
Hi,
It doesnt show the whole output.
Can you copy/paste the output that is shown in the Response -window.
Have you tested connection from the Internet towards this public IP address and have you chekced what happens to the connections? Have you checked that the ACLs hit counter increases as you attempt the connection from the Internet?
- Jouni
12-12-2013 03:54 AM
Sorry.
See full below:
packet-tracer input outside tcp 8.8.8.8 12345 81.121.211.194 443
Result of the command: "packet-tracer input outside tcp 8.8.8.8 12345 81.121.211.194 443"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Outside) tcp 81.121.211.194 https 192.168.1.221 https netmask 255.255.255.255
match tcp Inside host 192.168.1.221 eq 443 Outside any
static translation to 81.121.211.194/443
translate_hits = 0, untranslate_hits = 34
Additional Information:
NAT divert to egress interface Inside
Untranslate 81.121.211.194/443 to 192.168.1.221/443 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface Outside
access-list WAN_access_in extended permit tcp any host 81.121.211.194 eq https
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,Outside) tcp 81.121.211.194 https 192.168.1.221 https netmask 255.255.255.255
match tcp Inside host 192.168.1.221 eq 443 Outside any
static translation to 81.121.211.194/443
translate_hits = 0, untranslate_hits = 34
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,Outside) tcp 81.121.211.194 https 192.168.1.221 https netmask 255.255.255.255
match tcp Inside host 192.168.1.221 eq 443 Outside any
static translation to 81.121.211.194/443
translate_hits = 0, untranslate_hits = 34
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1897872, packet dispatched to next module
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow
12-13-2013 04:46 AM
Many many Thanks Jouni for your help all up and running.
Can I just ask though, what is the difference between the below 2 configurations? Pro and cons.
(1) As a secondary range with it's own default gateway.
(2) Use an IP from your current range which is live on your network (88.121.23.246). We will then configure a route for your new range with this IP as the next-hop.
12-13-2013 04:55 AM
Hi,
Option 1 is not possible with the ASA in the above way specifically as you cant really have 2 default routes active at the same time. And as ASA has no concept of "secondary" address under its interface that means the secondary subnet is only present in the NAT configurations of the device and the ASA would use Proxy ARP to make sure that there is connectivity from the WAN to these IP addresses even though they are not configured on any interface of the ASA
I guess Option 2 is the simplest solution. The ISP would simply forward all traffic regarding the new subnet to the ASAs current WAN interface IP address and ASA would match the destination IP address to an existing NAT you have from the new subnet. Traffic would be forwarded back to the ISP using the current default route on the ASA. No additional default route needs to be added. There would be no need for ARP/Proxy ARP between the ISP gateway and ASA for this new subnet.
Glad to hear you got it working though
Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.
- Jouni
12-23-2013 01:36 AM
Jouni, many thanks for sharing your knowledge and help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: