Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1279
Views
0
Helpful
5
Replies

MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

Go to solution
veltech
Level 1
Level 1

‎11-06-2013 12:55 PM

Hi All,

We are setting up a number of ASAs for use with corporate VPNs. When remote users connect using anyconnect they can hairpin out to the internet from Head Office and we need to allocate them a public IP address for this purpose. To avoid people getting the same public address each time they go to the internet we want to set up a pool of public addresses that will be randomly allocated to user of the VPN. Also, for their inbound connection we have a ddns that resolves to a single ip address for inbound connections. So, in summary clients connect to a single IP address on our ASAs, then hairpin out to the internet and are allocated a public IP address from a pool. We are looking at a few options to achieve this but would welcome any suggestions as to the best way to achieve this objective.

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to veltech

‎11-08-2013 06:18 AM

Hi,

To me it seems that the order of the chosen NAT IP address from the NAT Pool is random. I tested this on my home ASA5505 with a small public address pool.

I am not sure if there is difference between the different ASA software levels or rather the NAT configuration format. Since the 8.2 (and below) and 8.3 (and newer) format is completely different.

So if we were to presume that you are configuring NAT Pool for VPN Client users connected to the ASA then the configurations you would need would be

Software 8.3 and above

same-security-traffic permit intra-interface

object-group network VPN-POOLS

description VPN User Address Pools

network-object 10.10.10.0 255.255.255.128

network-object 10.10.20.0 255.255.255.128

object network PUBLIC-POOL

range 1.1.1.1 1.1.1.254

nat (outside,outside) after-auto source dynamic VPN-POOLS PUBLIC-POOL interface

Software 8.2 and below

same-security-traffic permit intra-interface

nat (outside) 200 10.10.10.0 255.255.255.0

nat (outside) 200 10.10.20.0 255.255.255.0

global (outside) 200 1.1.1.1-1.1.1.254

global (outside) 200 interface

I am not sure what your user amount is but I would imagine you wont such a large public address pool for the users. The above configurations also contain a Dynamic PAT for when the NAT Pool runs out.

Was this what you were looking for?

Hope this helps

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-06-2013 01:02 PM

Hi,

Well I guess you would simply configure a Dynamic NAT for the VPN users. You would have a pool/range of public IP addresses from which addresses would be allocated for VPN client as they connect to the Internet.

I am not sure what you are meaning with the inbound connections (unless you mean return traffic for connections initiated by the clients).

Naturally the NAT configuration format depends on your ASA software level as theres a major difference between 8.2 (and older) and 8.3 (and newer)

- Jouni

0 Helpful

Go to solution
veltech
Level 1
Level 1
In response to Jouni Forss

‎11-08-2013 06:02 AM

Hi,

The inbound connections are for the VPN clients to ingress the ASAs, they then hairpin out to the internet where they are allocated a public IP address for their internet session. We will NAT them from the LAN VPN pool outbound, but its the allocation of a public ip address we are looking into. There wont be any local access so we don't need to set up a NAT exemption for the VPN users. Also, cant remember if the dynamic NAT allocates public addresses on a round robin or random basis, any ideas ??

Thanks,

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to veltech

‎11-08-2013 06:18 AM

Hi,

To me it seems that the order of the chosen NAT IP address from the NAT Pool is random. I tested this on my home ASA5505 with a small public address pool.

I am not sure if there is difference between the different ASA software levels or rather the NAT configuration format. Since the 8.2 (and below) and 8.3 (and newer) format is completely different.

So if we were to presume that you are configuring NAT Pool for VPN Client users connected to the ASA then the configurations you would need would be

Software 8.3 and above

same-security-traffic permit intra-interface

object-group network VPN-POOLS

description VPN User Address Pools

network-object 10.10.10.0 255.255.255.128

network-object 10.10.20.0 255.255.255.128

object network PUBLIC-POOL

range 1.1.1.1 1.1.1.254

nat (outside,outside) after-auto source dynamic VPN-POOLS PUBLIC-POOL interface

Software 8.2 and below

same-security-traffic permit intra-interface

nat (outside) 200 10.10.10.0 255.255.255.0

nat (outside) 200 10.10.20.0 255.255.255.0

global (outside) 200 1.1.1.1-1.1.1.254

global (outside) 200 interface

I am not sure what your user amount is but I would imagine you wont such a large public address pool for the users. The above configurations also contain a Dynamic PAT for when the NAT Pool runs out.

Was this what you were looking for?

Hope this helps

- Jouni

0 Helpful

Go to solution
veltech
Level 1
Level 1
In response to Jouni Forss

‎11-13-2013 02:34 AM

Hi Jouni,

Thanks for your response and apologies for our delay in replying we had to set this up in the lab. Anyway this is the configuration we have decided to use so your answer was helpful thank you.

Regards,

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to veltech

‎11-13-2013 02:39 AM

Hi,

Thank you for getting back to me. Great to hear that it helped

- Jouni

0 Helpful
Customers Also Viewed These Support Documents