topic Hi, I think you might need to in Network Security

multiple connection asa

gregrain1 — Tue, 12 Mar 2019 04:33:44 GMT

I need to connect 1 interface to mpls not nat-ed (Vlan2) and 1 connection to internet nat-ed (Vlan3). So all traffic out vlan 3 except for private network over mpls.

ASA Version 9.0(3)
!
hostname X.X.X.X
domain-name X.X.X.X
enable password XXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd X.X.X.X XXXXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
!
interface Vlan3
nameif internet
security-level 0
ip address 3.3.3.3 255.255.255.252
!
interface Vlan5
nameif dmz
security-level 50
ip address dhcp
!
boot system disk0:/asa903-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name XXXXXX
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu internet 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,internet) source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http X.X.X.X 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 internet
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh X.X.X.X 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 internet
ssh timeout 5
ssh version 2
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password XXXXXXX/ encrypted
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:075862af675d99e7166b8165ac099879
: end
ASA#

Hi, I think you might need to

Jouni Forss — Fri, 01 Aug 2014 06:43:47 GMT

Hi,

I think you might need to clarify the situation a bit.

From what I understood you are saying that you have the basic internal and external interfaces on the ASA and also a link to a MPLS network where possinly some remote sites are located?

I am not sure what you are asking of us though? I do see that you have only configured a default route on the ASA. Naturally if there are some remote sites between one of the interfaces you should have static routes configured for those networks pointing to the correct interface and correct gateway IP address.

For traffic between your LAN and MPLS networks will go without NAT by default so you dont have to worry about that.

If your MPLS networks require NAT towards the External networks then you can do a similiar NAT configuration for it like you have for your LAN at the moment.

Your current interface naming is kinda confusing. It seems that the "outside" holds the default route while the "internet" does not have any routes.

So as I said can you please clarify your requirements for the setup.

- Jouni

I tried doing the route

gregrain1 — Fri, 01 Aug 2014 12:13:18 GMT

I tried doing the route statments but when I do I lose connectivity to the firewall.

Hi, I am not sure what

Jouni Forss — Fri, 01 Aug 2014 15:11:25 GMT

Hi,

I am not sure what changes you made so I can't really say anything. If you changed the default route to point somewhere else then that is probably the reason why you lost connectivity to the firewall.

We would really need to know exactly what you are attempting to do and what the interfaces are used for. You have interfaces "outside" and "internet" which both to me hint about an interface directly connected to the Internet.

If the other interface has a connection to some remote networks then that interface needs routes for specific networks only. The interface which is supposed to be used for Internet traffic needs to have the default route.

- Jouni

Ok lets see if this helps,

gregrain1 — Sat, 02 Aug 2014 14:43:43 GMT

Ok lets see if this helps, the ASA was the connection from a remote site through an MPLS connection back to the DataCenter. The MPLS connection was not fast enough to handle internal traffic plus internet traffic, so they installed a circuit for internet. The outside connection is for the MPLS traffic to the DC, the Internet connection is for internet only, so I need internal LAN traffic go across the outside interface and all other traffic go across the internet interface. I did a route outside 0 0 3.3.3.3 and route for 2.2.2.2/24 to go to the outside interface but when I do that I can't connect back to the ASA.

Was able to get this fixed.

gregrain1 — Wed, 06 Aug 2014 23:54:36 GMT

Was able to get this fixed. I changed the quad 0 route to route to vlan3. Remoted to a pc on the local LAN and was able to make the change.