topic Okay so do the other devices in Network Security

Using both Dynamic and Static NAT with two Different Internet facing Subnets

stownsend — Tue, 12 Mar 2019 05:33:35 GMT

We have two Class C Public Address subnets. We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B). Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet. So they are receiving packets on their (A) Address, though replying to them with a (B) address.

It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound.

So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool.

Public IP: 192.168.1.100/24

Internal IP: 10.0.0.100/16

Public IP: 192.168.5.101/24

Internal IP: 10.0.0.101/16

interface Ethernet0/0
 description 192.168.1.0/24 Network Outside IP
 nameif outside-1
 security-level 0
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/1
 description 192.168.5.0/24 Network Outside IP
 nameif outside-5
 security-level 0
 ip address 192.168.5.1 255.255.255.0 
!
interface Ethernet0/2
 description inside 10.0.0.0/16
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.0.0 

object network serverA_o 
 host 192.168.1.100
 object network serverA_i 
 host 10.0.0.100
object network serverB_o 
 host 192.168.5.101
object network serverB_i 
 host 10.0.0.101

object network 192-168-1-NAT-POOL 
 range 192.168.1.50 192.168.1.239

nat (inside,outside-1) source static serverA_i serverA_o
nat (inside,outside-5) source static serverB_i serverB_o
nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface

object network serverA_i
 nat (inside,outside-1) static serverA_o
object network serverB_i
 nat (inside,outside-5) static serverB_o

route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2

When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101

Any Suggestions?

Thanks!

I'm not sure I follow.Firstly

Jon Marshall — Thu, 26 Feb 2015 13:42:06 GMT

I'm not sure I follow.

Firstly why have you got multiple entries for the same servers eg. -

nat (inside,outside-5) source static serverB_i serverB_o

and

object network serverB_i
nat (inside,outside-5) static serverB_o

as to why it is using the NAT pool that is because your default route pushes all traffic via the outside-1 interface and because serverB doesn't have a matching static statement for that interface it matches the NAT pool instead.

All traffic on your firewall will use the outside-1 because that default route has the lower AD and so is the one in the routing table.

It can't use the other route because it won't be in it's routing table.

You are using different next hop IPs for the default routes. Does this mean they are different ISPs or you have a different next hop router ?

If it is the same ISP and same next hop you don't need to assign any 192.168.5.x IPs to interfaces you can just use them in your NAT statements.

Can you clarify about the public IP blocks and the ISP(s) ?

Jon

Not sure why I have Multiple

stownsend — Thu, 26 Feb 2015 19:19:35 GMT

Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.

We have a Single ISP, though have 2 separate non-Contiguous Class C Addresses from them. We host some Servers on one subnet and some on the other.

I'm looking for a way to use both Subnets on the same ASA.

The Connection to the net looks like this:

Internet -> Edge Router                           Layer3 VLAN Switch 
            GE0/1.2 - 192.168.1.1    VLAN Tagged -->    GE0 - VLAN Tagged
            GE0/1.2 - 192.168.5.1    VLAN Tagged -^  

Layer3 VLAN Switch                          Firewall
            GE1    192.168.1.0/24 Untagged     ->  ASA Outside-1 
            GE2    192.168.5.0/24 Untagged     ->  ASA Outside-5
Firewall
            ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100

Hope that helps clarify.

I could try to post some sanitized Configs of my PIX and ASA if needed. But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets.

You don't need to have two

Jon Marshall — Thu, 26 Feb 2015 19:48:37 GMT

You don't need to have two interfaces if it is the same ISP.

You have created two interfaces with vlan tagging to the ISP router but you only need one interface.

The new 192.168.5.x IPs you just use for NAT.

That way all traffic uses outside-1 as the interface and you don't have this issue with two default routes.

If you are keeping your old IPs as well as the new ones then it is even easier, just get the ISP to add a route to their router for the 192.168.5.x subnet pointing to your outside interface IP.

Jon

Thank you for your reply.

stownsend — Thu, 26 Feb 2015 21:33:17 GMT

Thank you for your reply. Both Subnets have Public Accessible Services on them. So we need to be able to have access to both Subnets.

The ASA (Currently hosting the 192.168.1.x IPs )and PIX (hosting the 192.168.5.x IPs) are only hosting a portion of the Publicly accessible IPs in the two Subnets. There are other Physical devices on each of the Subnets between the Edge Router and the ASA/PIX. So having the Edge router have a Route to the ASA's Outside Interface for one of the Subnets does not seem like an option.

Thank you,

Okay so do the other devices

Jon Marshall — Thu, 26 Feb 2015 21:58:24 GMT

Do these other devices need to be accessed from your internal networks using their public IPs ?

You can leave the ISP router with an interface in both networks but i still don't think your ASA needs one and in fact you don't want it to because of the two default routes.

If the ISP has an interface in both networks it will send an arp request for any IP within those networks. Your ASA should respond for any IPs it has configured with static NAT because it uses proxy arp.

Jon