Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi all,

I currently have an ASA 5510 firewall which is configured with 1x usable public IP address, which has a different default gateway/subnet to the below.

I need to keep the above and I also need to configure the firewall with the below range:

IP Range: 81.121.211.192/29

Subnet: 255.255.255.248

Gateway: 81.121.211.193 - Please use this as your default gateway.

For your use: 81.121.211.194 - 81.121.211.198 (inclusive)

Can you advise how this should be configured on the ASDM?

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

Option 1 is not possible with the ASA in the above way specifically as you cant really have 2 default routes active at the same time. And as ASA has no concept of "secondary" address under its interface that means the secondary subnet is only present in the NAT configurations of the device and the ASA would use Proxy ARP to make sure that there is connectivity from the WAN to these IP addresses even though they are not configured on any interface of the ASA

I guess Option 2 is the simplest solution. The ISP would simply forward all traffic regarding the new subnet to the ASAs current WAN interface IP address and ASA would match the destination IP address to an existing NAT you have from the new subnet. Traffic would be forwarded back to the ISP using the current default route on the ASA. No additional default route needs to be added. There would be no need for ARP/Proxy ARP between the ISP gateway and ASA for this new subnet.

Glad to hear you got it working though

Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.

- Jouni

23 REPLIES
Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

You wont have to add this configuration on your ASA other than to configure the NAT configurations that use these IP addresses.

The ISP should route this network towards your current public IP address configured on your external ASA interface. Or if they dont route the network towards your ASA then they need to configure the new public subnet as a "secondary" address range on their gateway interface.

If you are running a newer ASA software and the ISP configures the new subnet on their gateway interface towards your ASA then you will need to add this configuration command

arp permit-nonconnected

In either case, you wont need to  configure the IP address on any ASA interface or configure any additional routes on the ASA.

Hope this helps

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Thanks for this;

Couple of questions:

My ISP sent me this:

"

I will be allocating your additional range shortly, could you please advise how you would like this to be configured:

(1) As a secondary range with it's own default gateway.

(2) Use an IP from your current range which is live on your network (88.121.23.246). We will then configure a route for your new range with this IP as the next-hop.

"

88.121.23.246 is our current public address. What's the best way to have it setup?

Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

If you have an ASA firewall facing the ISP and the ISP has stated that they route the new public network towards your current external interface IP address then you wont need any ARP or interface/route related configurations.

You can just start configuring NAT with the new public IP addresses and start using them.

If you have doubts do a Static NAT for a test host on the internal network using a new public IP address and test connectivity.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Thank you for your fast reply.

I have noticed that the ISP as put in place (1) As a secondary range with it's own default gateway.

But what is the better option to go for?

Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

Which ever way the ISP does the configuration on their end it should be enough for you to start configuring NAT using the new public IP address space.

IF the ISP has NOT routed the network towards your current external IP address of the ASA then if you have a newer ASA software you have to add the command

arp permit-nonconnected

I still don't know what software you are using on the ASA.

Have you tried configuring a test host with the new public IP address and testing if it works?

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi Jouni,

It is ASA 8.2(5)

ASDM 6.4(5)

The ISP has NOT routed it towards the existing. I am using the ASDM, can you provide instructions as to how this should be configured?

Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

Would seem to me that you just start configuring NAT with the new public subnet just like you have done so far for the existing public subnet you are using already.

You should NOT need any extra configurations, just start configuring NAT using those IP address as needed and test connectivity.

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi Jouni,

Sorry for slow reply.

I need to get this configured,

Do I need to configure a new interface on my asa5510 since my ISP is NOT routing towards my existing public ip?

I only have 2 available WAN ports on the asa5510, but 5 usuable public ip addresses.

For your use: 81.121.211.194 - 81.121.211.198 (inclusive)

IP Range: 81.121.211.192/29

Subnet: 255.255.255.248

Gateway: 81.121.211.193

Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

You should not need any new interface or route configurations on the ASA.

I assume that you have gotten the public IP address range to be used as NAT IP address on the ASA? If so then you should be able to configure them on the ASA if the ISP has configured their portion.

As I suggest before, I would put some test laptop on the LAN network and configure NAT for it using the new public IP address range and testing connectivity.

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

"I assume that you have gotten the public IP address range to be used as NAT IP address on the ASA?"

How do I do this? Ask my ISP?

Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

You dont have to ask the ISP for anything if they have already configured their part. You have mentioned that they have configured the new public subnet on their end as a "secondary" network? If this is true then it should be usable at the moment.

Again I would suggest that you configure Static NAT using one of the new public IP address for some test host on the LAN and actually test traffic.Configuring NAT with the original public IP address space you had and this new one isnt in any way different.

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

Internally I can telnet to 192.168.1.221 on 443

But I am not able to telnet to 81.121.211.194 externally.

I have added the above nat rule, anything I need to do?

Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

You would have to add an "access-list" rule on the external interfaces ACL to allow traffic to this host that has the NAT.

Seems you have configured Static PAT (Port Forward) for port TCP/443

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Yes I want to forward public traffic for 443 to 81.121.221.194 which Nats to 192.168.1.221

on the ASDM, do I just need to add an access rule?

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

like this?

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Any further thoughts?

Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

Is the IP address correct? You talk about x.x.211.x and x.x.221.x IP addresses in the above posts. Check which one is the correct public IP address and use it in the NAT and ACL configurations.

After that you can try the "packet-tracer" command

packet-tracer input outside tcp 8.8.8.8 12345 443

Post the output of the above command.

It should tell us if there is any problem with the ASA configurations

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Yes Public ip is correct 81.121.211.194 and lan ip is 192.168.1.221 is correct.

Thanks for the command, I ran it, see results below:

Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

It doesnt show the whole output.

Can you copy/paste the output that is shown in the Response -window.

Have you tested connection from the Internet towards this public IP address and have you chekced what happens to the connections? Have you checked that the ACLs hit counter increases as you attempt the connection from the Internet?

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Sorry.

See full below:

packet-tracer input outside tcp 8.8.8.8 12345 81.121.211.194  443

Result of the command: "packet-tracer input outside tcp 8.8.8.8 12345 81.121.211.194  443"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,Outside) tcp 81.121.211.194 https 192.168.1.221 https netmask 255.255.255.255
  match tcp Inside host 192.168.1.221 eq 443 Outside any
    static translation to 81.121.211.194/443
    translate_hits = 0, untranslate_hits = 34
Additional Information:
NAT divert to egress interface Inside
Untranslate 81.121.211.194/443 to 192.168.1.221/443 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface Outside
access-list WAN_access_in extended permit tcp any host 81.121.211.194 eq https
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,Outside) tcp 81.121.211.194 https 192.168.1.221 https netmask 255.255.255.255
  match tcp Inside host 192.168.1.221 eq 443 Outside any
    static translation to 81.121.211.194/443
    translate_hits = 0, untranslate_hits = 34
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,Outside) tcp 81.121.211.194 https 192.168.1.221 https netmask 255.255.255.255
  match tcp Inside host 192.168.1.221 eq 443 Outside any
    static translation to 81.121.211.194/443
    translate_hits = 0, untranslate_hits = 34
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1897872, packet dispatched to next module

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Many many Thanks Jouni for your help all up and running.

Can I just ask though, what is the difference between the below 2 configurations? Pro and cons.

(1) As a secondary range with it's own default gateway.

(2) Use an IP from your current range which is live on your network (88.121.23.246). We will then configure a route for your new range with this IP as the next-hop.

Super Bronze

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Hi,

Option 1 is not possible with the ASA in the above way specifically as you cant really have 2 default routes active at the same time. And as ASA has no concept of "secondary" address under its interface that means the secondary subnet is only present in the NAT configurations of the device and the ASA would use Proxy ARP to make sure that there is connectivity from the WAN to these IP addresses even though they are not configured on any interface of the ASA

I guess Option 2 is the simplest solution. The ISP would simply forward all traffic regarding the new subnet to the ASAs current WAN interface IP address and ASA would match the destination IP address to an existing NAT you have from the new subnet. Traffic would be forwarded back to the ISP using the current default route on the ASA. No additional default route needs to be added. There would be no need for ARP/Proxy ARP between the ISP gateway and ASA for this new subnet.

Glad to hear you got it working though

Please do remember to mark a reply as the correct answer if it answered your question and rate helpfull answers.

- Jouni

New Member

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni, many thanks for sharing your knowledge and help.

1285
Views
0
Helpful
23
Replies
CreatePlease to create content