topic The Routed_Lan wont need a in Network Security

ASA5510 Public Pool IP Address Assignment on LAN Server

faiqmahdi — Tue, 12 Mar 2019 07:09:18 GMT

I have a requirement where i can assign the Public Pool IP Address to my LAN Server. I don't want to do one to one NAT.

ISP IP Address: 2.2.2.1 /30

ASA IP Address: 2.2.2.2 /30

ASA DGW: 2.2.2.1

Public IP Pool from ISP: 3.3.3.0 3.3.3.7/29

I want to assign one of the Public Pool IP Address directly to my Server, e.g. 3.3.3.1

Question:

What will be the ASA Configuration

What will be the Gateway of Server

I have also attached the topology I am looking for.

Thanks and regards

More than likely you wont be

Philip D'Ath — Sun, 17 Jan 2016 19:16:01 GMT

More than likely you wont be able to make this work. You need to figure out another way of doing this.

That's really weird, If ASA

faiqmahdi — Sun, 17 Jan 2016 20:34:51 GMT

That's really weird, If ASA does not support this. I am really expecting more in ASA. Let's hope for the best. If i get someone who has done similarly earlier.

This is not an ASA issue.

Philip D'Ath — Sun, 17 Jan 2016 20:37:33 GMT

This is not an ASA issue. This is a fundamental and basic networking concept to do with IP routing. You have a fundamental issue with your network design preventing this configuration.

Customer has already the same

faiqmahdi — Mon, 18 Jan 2016 08:15:33 GMT

Customer has already the same implementation with DrayTek Router and we are going to replace the DrayTek with ASA. If ASA does not support the same feature, probably we have to stick with DrayTek just because of this feature.

Without NAT the only way to

Philip D'Ath — Mon, 18 Jan 2016 08:21:47 GMT

Without NAT the only way to make this work is with a routed subnet to the server. I suspect things are not working as you think.

Here is the link, that's

faiqmahdi — Mon, 18 Jan 2016 08:25:28 GMT

Here is the link, that's exactly how we configured the DrayTek. Similar behavior customer is looking for ASA.

http://www.draytek.com/index.php?option=com_k2&view=item&id=5660&Itemid=293&lang=en

It looks to me like it is

Philip D'Ath — Mon, 18 Jan 2016 08:37:03 GMT

It looks to me like it is setting up a routed /30 subnet.

An easier config would be to create a DMZ and put 3.3.3.0/29 on it. Then put the servers you want to have public IP addresses directly into the DMZ with real IP addresses on them. Then no NAT for servers. Users can be NATed to the outside IP address of the ASA and life will be simple.

Hi Philip

faiqmahdi — Sat, 23 Jan 2016 17:49:11 GMT

Hi Philip

I am giving a shot as you mentioned.

!
interface Ethernet0/3
nameif Routed_LAN
security-level 0
ip address 3.3.3.1 255.255.255.248

Two Questions:

1st Question: What will be the Internet Route for this Interface. I tried to add two Routes but no benefit:

route Routed_LAN 0.0.0.0 0.0.0.0 2.2.2.1 (ISP Gateway)

ERROR: Cannot add route entry, conflict with existing routes

route Routed_LAN 0.0.0.0 0.0.0.0 2.2.2.2 (ASA IP Address)
%Invalid next hop address, it belongs to one of our interfaces

ASA Configuration:
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 2.2.2.2 255.255.255.252

route OUTSIDE 0.0.0.0 0.0.0.0 2.2.2.1 1

2nd Question:
What will be the Gateway of Server in Routed_LAN Subnet

Thanks.

The Routed_Lan wont need a

Philip D'Ath — Sat, 23 Jan 2016 17:52:46 GMT

The Routed_Lan wont need a gateway on the ASA, it will use the default route for the ASA to your ISP. Your ISP will need to route 3.3.3.0/29 via 2.2.2.2.

For a server plugged into the Route_Lan segment its gateway will be that of the ASA, 3.3.3.1.

Your new config will work perfectly.

I don't have any Server plug

faiqmahdi — Sat, 23 Jan 2016 18:04:31 GMT

I don't have any Server plug at the moment with Routed_LAN but I will give a try tomorrow. I am trying to configure it remotely.

I have enabled SSH for Routed_LAN Interface but I am not able to connect remotely:

ssh 0.0.0.0 0.0.0.0 Routed_LAN

I tried the following and here is the result:

MyFW# ping tcp Routed_LAN 8.8.8.8 53
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 8.8.8.8 port 53
from 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/6 ms
MyFW#

Routed_Lan is not your

Philip D'Ath — Sat, 23 Jan 2016 18:19:25 GMT

Routed_Lan is not your connection to your ISP, correct? Your ISP connects via your Outside IP address 2.2.2.0 /30, correct?

If you want to connect to the ASA from the Routed_Lan then use:

ssh 0.0.0.0 0.0.0.0 Routed_LAN

If you want to connect from the outside world then use:

ssh 0.0.0.0 0.0.0.0 outside

If you want to connect from inside of the network then use:

ssh 0.0.0.0 0.0.0.0 inside

The interface says where the SSH traffic must come in from.

You can not get to 8.8.8.8

Philip D'Ath — Sat, 23 Jan 2016 18:21:39 GMT

You can not get to 8.8.8.8 via Routed_Lan. Routed_Lan only has 3.3.3.0/29 on it.

You get to 8.8.8.8 via your outside interface - the connection to your ISP.

A host in Routed_Lan will send its traffic to 3.3.3.1, the ASA, which will then forward it to your ISP. The ISP traffic will come in over the outside interface 2.2.2.2 and then the ASA will forward it to Routed_Lan.

Hi Philip

faiqmahdi — Sat, 23 Jan 2016 18:25:41 GMT

Hi Philip

Routed_LAN is not my connection to ISP. ISP connects via Outside IP Address 2.2.2.0/30.

I will give a shot tomorrow by connecting the server with Routed_LAN. Thanks for all your sincere help.

Hi Philip

faiqmahdi — Sun, 24 Jan 2016 06:24:24 GMT

Hi Philip

I connected a Server and everything worked like a charm.

Thanks a lot and really appreciate all your sincere help.

Stay blessed.

You're welcome. I hope you

Philip D'Ath — Sun, 24 Jan 2016 06:45:29 GMT

You're welcome. I hope you'll enjoy your change to the ASA platform. It is a much nicer config having it work this way as well.