Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ASA 5505, NAT separate public IPs to VLANs?

I'm seeking the advice of some experts here. I've got a new Cisco ASA 5505 with the Security+ license, and  Cisco L2 switch.

I've got 10 VLANs, and want to assign an individual public IP addresses to each VLAN's subnet. The point is --- each of the 10 VLAN's represents a different client office in my building, and each client may run similar services, want port forwarding, and whatnot

I've not been able to figure out how to make it work. I'm familiar with 1:1 NAT, but not a scenario where whatismyip.com shows a different IP depending on which VLAN I'm on. I'll end up port forwarding stuff for each client in the future, like RDP, etc.

The ASA is running version 9.2. Anyone able to spot a mistake in my config?

Here's a piece of my config, which some part of it is incorrect and not working:
 

nterface Vlan1

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 69.67.62.66 255.255.255.248

!

interface Vlan110

nameif sub110

security-level 100

ip address 192.168.11.1 255.255.255.0

 

I created an object for the second static

object network ispstatic2

host 69.67.62.67

 

Some objects:

 

object network ispstatic2

host 69.67.62.67

object network sub110route

subnet 192.168.11.0 255.255.255.0

 

And the route that doesn't appear to work:

 

object network obj_any

nat (management,outside) dynamic interface

object network sub110route

nat (any,any) dynamic ispstatic2

route outside 0.0.0.0 0.0.0.0 69.67.62.65 1

route sub110 192.168.11.0 255.255.255.0 69.67.62.67 1

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,Have you applied the

Hi,

Have you applied the commands , Share me following output

1) show route 

2) ping 4.2.2.2 from your ASA 

Apply below commands

ip verify reverse-path interface outside

ip verify reverse-path interface sub110

if you see issue open webex session if you have any 

HTH

Sandy

 

12 REPLIES

Hi ,Update your config as

Hi ,

Update your config as below 

object network ispstatic2

host 69.67.62.67

object network sub110route

subnet 192.168.11.0 255.255.255.0

nat (sub110,outside) dynamic ispstatic2

 

likewise you can repeat for other VLAN . Your outside interface subnet range can accommodate only 4 Public IP address for PAT including your interface IP address . 

remove below config 

no route sub110 192.168.11.0 255.255.255.0 69.67.62.67 1

no nat (any,any) dynamic ispstatic2

 

HTH

Sandy 

New Member

I've updated my config as you

I've updated my config as you've suggested, and VLAN 110 on 192.168.11.0 still does not appear to have any internet acesss. I can't ping out, or ping the "ispstatic2" address, or the ISP gateway address.

Any other suggestions?

Hi ,Share me your ASA config.

Hi ,

Share me your ASA config.

 

HTH

Sandy

New Member

ASA Version 9.2(1)!hostname

ASA Version 9.2(1)
!
hostname sdbciscoasa
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport trunk allowed vlan 1-2,110,120,130,140,150,160,170,180,190,200,210,220,230,240,250,260,270,280
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif management
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.67.62.66 255.255.255.248
!
interface Vlan110
 description careco
 nameif sub110
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Vlan120
 nameif sub120
 security-level 100
 ip address 192.168.12.1 255.255.255.0
!
interface Vlan130
 nameif sub130
 security-level 100
 ip address 192.168.13.1 255.255.255.0
!
interface Vlan140
 nameif sub140
 security-level 100
 ip address 192.168.14.1 255.255.255.0
!
interface Vlan150
 nameif sub150
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
interface Vlan160
 nameif sub160
 security-level 100
 ip address 192.168.16.1 255.255.255.0
!
interface Vlan170
 nameif sub170
 security-level 100
 ip address 192.168.17.1 255.255.255.0
!
interface Vlan180
 nameif sub180
 security-level 100
 ip address 192.168.18.1 255.255.255.0
!
interface Vlan190
 nameif sub190
 security-level 100
 ip address 192.168.19.1 255.255.255.0
!
interface Vlan200
 nameif sub200
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan210
 nameif sub210
 security-level 100
 ip address 192.168.21.1 255.255.255.0
!
interface Vlan220
 nameif sub220
 security-level 100
 ip address 192.168.22.1 255.255.255.0
!
interface Vlan230
 nameif sub230
 security-level 100
 ip address 192.168.23.1 255.255.255.0
!
interface Vlan240
 nameif sub240
 security-level 100
 ip address 192.168.24.1 255.255.255.0
!
interface Vlan250
 nameif sub250
 security-level 100
 ip address 192.168.25.1 255.255.255.0
!
interface Vlan260
 nameif sub260
 security-level 100
 ip address 192.168.26.1 255.255.255.0
!
interface Vlan270
 nameif sub270
 security-level 100
 ip address 192.168.27.1 255.255.255.0
!
interface Vlan280
 nameif sub280
 security-level 100
 ip address 192.168.28.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network ispstatic2
 host 69.67.62.67
object network ispstatic3
 host 69.67.62.68
object network isstatic4
 host 69.67.62.69
object network harborstatic5
 host 69.67.62.70
object network sub110route
 subnet 192.168.11.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu sub110 1500
mtu sub120 1500
mtu sub130 1500
mtu sub140 1500
mtu sub150 1500
mtu sub160 1500
mtu sub170 1500
mtu sub180 1500
mtu sub190 1500
mtu sub200 1500
mtu sub210 1500
mtu sub220 1500
mtu sub230 1500
mtu sub240 1500
mtu sub250 1500
mtu sub260 1500
mtu sub270 1500
mtu sub280 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (management,outside) dynamic interface
object network sub110route
 nat (sub110,outside) dynamic ispstatic2
route outside 0.0.0.0 0.0.0.0 69.67.62.65 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.10.50-192.168.10.200 management
dhcpd enable management
!
dhcpd address 192.168.11.50-192.168.11.100 sub110
dhcpd enable sub110
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

 

Hi , Run packet trace command

Hi ,

 Run packet trace command and share me the output , similalry ping to internet destination 4.2.2.2 from your ASA to connect internet is reachable 

 

paste me the ouput of below command 

packet-tracer input sub110 tcp 192.168.11.1 5000 4.2.2.2 80

 

HTH

Sandy

 

New Member

sdbciscoasa# packet-tracer

sdbciscoasa# packet-tracer input sub110 tcp 192.168.11.1 5000 4.2.2.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 69.67.62.65, outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: sub110
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Hi , configure below commands

Hi ,

 configure below commands , test again .

ip verify reverse-path interface sub110

access-list sub110_out extended permit ip 192.168.11.0 255.255.255.0 any

access-group sub110_out in interface sub110

Run packet trace command again and share me the output .

 

HTH
Sandy

New Member

Phase: 1Type: ROUTE


Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 69.67.62.65, outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.11.1    255.255.255.255 identity

Result:
input-interface: sub110
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

 

Hi,Have you applied the

Hi,

Have you applied the commands , Share me following output

1) show route 

2) ping 4.2.2.2 from your ASA 

Apply below commands

ip verify reverse-path interface outside

ip verify reverse-path interface sub110

if you see issue open webex session if you have any 

HTH

Sandy

 

New Member

I have applied the commands.

I have applied the commands.

 

Here's the show route:

 

Gateway of last resort is 69.67.62.65 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 69.67.62.65, outside
C        69.67.62.64 255.255.255.248 is directly connected, outside
L        69.67.62.66 255.255.255.255 is directly connected, outside
C        192.168.10.0 255.255.255.0 is directly connected, management
L        192.168.10.1 255.255.255.255 is directly connected, management
C        192.168.11.0 255.255.255.0 is directly connected, sub110
L        192.168.11.1 255.255.255.255 is directly connected, sub110
C        192.168.12.0 255.255.255.0 is directly connected, sub120
L        192.168.12.1 255.255.255.255 is directly connected, sub120
C        192.168.13.0 255.255.255.0 is directly connected, sub130
L        192.168.13.1 255.255.255.255 is directly connected, sub130
C        192.168.14.0 255.255.255.0 is directly connected, sub140
L        192.168.14.1 255.255.255.255 is directly connected, sub140
C        192.168.15.0 255.255.255.0 is directly connected, sub150
L        192.168.15.1 255.255.255.255 is directly connected, sub150
C        192.168.16.0 255.255.255.0 is directly connected, sub160
L        192.168.16.1 255.255.255.255 is directly connected, sub160
C        192.168.17.0 255.255.255.0 is directly connected, sub170
L        192.168.17.1 255.255.255.255 is directly connected, sub170
C        192.168.18.0 255.255.255.0 is directly connected, sub180
L        192.168.18.1 255.255.255.255 is directly connected, sub180
C        192.168.19.0 255.255.255.0 is directly connected, sub190
L        192.168.19.1 255.255.255.255 is directly connected, sub190
C        192.168.20.0 255.255.255.0 is directly connected, sub200
L        192.168.20.1 255.255.255.255 is directly connected, sub200
C        192.168.21.0 255.255.255.0 is directly connected, sub210
L        192.168.21.1 255.255.255.255 is directly connected, sub210
C        192.168.22.0 255.255.255.0 is directly connected, sub220
L        192.168.22.1 255.255.255.255 is directly connected, sub220
C        192.168.23.0 255.255.255.0 is directly connected, sub230
L        192.168.23.1 255.255.255.255 is directly connected, sub230
C        192.168.24.0 255.255.255.0 is directly connected, sub240
L        192.168.24.1 255.255.255.255 is directly connected, sub240
C        192.168.25.0 255.255.255.0 is directly connected, sub250
L        192.168.25.1 255.255.255.255 is directly connected, sub250
C        192.168.26.0 255.255.255.0 is directly connected, sub260
L        192.168.26.1 255.255.255.255 is directly connected, sub260
C        192.168.27.0 255.255.255.0 is directly connected, sub270
L        192.168.27.1 255.255.255.255 is directly connected, sub270
C        192.168.28.0 255.255.255.0 is directly connected, sub280
L        192.168.28.1 255.255.255.255 is directly connected, sub280

 

 

I can successfully ping from the console:

sdbciscoasa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms
sdbciscoasa#

 

Here's the most recent trace:

 

sdbciscoasa# packet-tracer input sub110 tcp 192.168.11.1 5000 4.2.2.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 69.67.62.65, outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.11.1    255.255.255.255 identity

Result:
input-interface: sub110
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

 

Share me webex or any remote

 

1) From You ASA are you able to ping to Host IP address  on network segment 192.168.11.1 255.255.255.0 ??

 

Hopefully it should work now . after you added your dns server IP address to your end host

 

HTH

Sandy

New Member

I've sent you an e-mail to

I've sent you an e-mail to your profile address for the remote session. Not sure if that's the best way to reach you or not. I can ping the host address of vlan 1 externally.

284
Views
25
Helpful
12
Replies
CreatePlease to create content