topic ASA ISP CIDR Setup in Network Security

ASA ISP CIDR Setup

tylerphillippe — Fri, 21 Feb 2020 14:26:34 GMT

Hello all!

I have recently acquired a new block of CIDR IP addresses from my ISP and I don't understand how to get it setup.

WAN address: 68.x.x.232

WAN gateway: 68.x.x.225

CIDR network: 70.y.y.112/28

Usable addresses: 70.y.y.114 - .126

How do I get this to work on an ASA 5512-X? Any help would be appreciated. Thanks!

Re: ASA ISP CIDR Setup

mfilipovski — Thu, 05 Oct 2017 16:33:05 GMT

Hi,

Sorry i read the question a bit fast

Just use the block for the service you need, for example new rules. The ISP points the block to your existing setup.

Martin

Re: ASA ISP CIDR Setup

tylerphillippe — Thu, 05 Oct 2017 16:47:22 GMT

That statement makes literally no sense.

I need help getting this setup from scratch.

Re: ASA ISP CIDR Setup

mfilipovski — Thu, 05 Oct 2017 16:56:20 GMT

Sorry,

What i meant was that your provider points the new block of address to the existing configuration in their router. So basically you can start using them right away, for example configure a new static nat rule with one of the new IP´s.

edit: you mean that you want to start using the extra block you aquired from the provider?

Re: ASA ISP CIDR Setup

Marvin Rhoads — Thu, 05 Oct 2017 17:02:15 GMT

Your WAN block is of course a standard setting that you would configure under your interface connected to your ISP. For instance:

int gi0/1

nameif outside

ip address 68.x.x.232 <netmask>

route 0 0 68.x.x.225

The CIDR block would be used for statc or dynamic NAT of your internal hosts. For example:

nat (inside,outside) source static <private address> 70.y.y.114

(Best practice would be to use objects with more human-readable names vs raw addresses in your NAT statements.)

Re: ASA ISP CIDR Setup

tylerphillippe — Thu, 05 Oct 2017 17:02:10 GMT

Marvin,

I think I understand setting the outside facing port to the given address and then setting the route. I have seen online that I need to set the inside facing port to one of the CIDR addresses, for example 70.y.y.114. Is this correct?

Re: ASA ISP CIDR Setup

tylerphillippe — Thu, 05 Oct 2017 17:43:30 GMT

Before this change, we just had five separate routable addresses. We bought a CIDR block of 13 and everything has changed.

We never had a CIDR block to begin with, so that's why I don't understand how to make it work.

I understand the port connected to the modem needs to be the WAN address and I think another port for the LAN needs to be one of the CIDR addresses. But, that is as much as I understand.

I can't even get the LAN port to ping the WAN port on the ASA, states there is no route even though they are both directly connected...

Re: ASA ISP CIDR Setup

Marvin Rhoads — Fri, 06 Oct 2017 02:25:53 GMT

I'm not sure exactly what you're asking when you say "set the inside facing port to one of the CIDR addresses". A NAT rule such as I cited earlier suffices. Routing-wise the upstream provider router sends that traffic to your ASA.

If the traffic is initiated from inside, the NAT plus the upstream provider's return path routing suffice to allow a flow and connection to establish.

If the traffic is initiated from outside, the NAT rule and provider routing plus an access list allowing the traffic inbound will be needed.

Re: ASA ISP CIDR Setup

Kias — Fri, 06 Oct 2017 04:45:09 GMT

Hi,

Do you want to set the ASA in routed mode or transparent mode?

Please advise your network considerations and goals.

Regards,

Kias