Having more than one subnet on the outside interface
I have an ASA5505 connected to one ISP router. The ISP has given me two different subnets instead of just one (nothing to do about it).
Subnet 1: 87.54.x.x/29
Subnet 2: 195.41.x.x/29
I have some static NAT's on the 87.54.x.x addresses and that is working fine. I have tried to create on static NAT on a 195.41.x.x interface. When i connect to the server i get the following error in the log: Deny TCP reverse path check from 87.54.x.x to 195.41.x.x on interface outside.
I have a 0.0.0.0 route on the outside interfacing to the ISP router on the 87.54.x.x network.
The problem is that althoug i have configured ACL's for the traffic for the 195.41.x.x address it does not seem to work proberly, i suspect that the ASA protects the network (and is telling me this with the Deny TCP path check log entry) but i need traffic in to my network.
Do i need to create a route to the 195.41.x.x network or do I need to add the 195.41.x.x IP address as a secondary ip address on the outside interface.
Re: Having more than one subnet on the outside interface
Hi,you have only one default gateway from ISP right? let's say it's 87.54.x.1/29, the other subnet can be ONLY used for your DMZ application, there's no way you have 2 public outside network can be static NATted to your same inside network.
If you have DMZ server, or VPN box you want to put on the DMZ, you can use no-nat to achieve this by the second IP subnet.
You can have 3 vlans for ASA 5505,for example
ip address 192.168.1.1 255.255.255.0
ip address 87.54.x.2 255.255.255.248
ip address 195.41.x.1 255.255.255.248
access-list no_nat_dmz permit ip 195.41.x.0 255.255.255.248 any
nat (dmz) 0 access-list no_nat_dmz
At you DMZ server, configure default route point to 195.41.x.1, so you can access dmz box/server by the second ip subnet.
If it's a VPN box, you can put inside interface of VPN box in your 5505 vlan 1 - Inside network.
Don't forget allow related traffic destined to DMZ at ACL outside-access-in.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...