topic Re: Cisco ASA public and private network on inside interface in Network Security

Cisco ASA public and private network on inside interface

ChaneySys — Tue, 04 Jun 2019 13:11:56 GMT

Hello,

We have a Cisco ASA 5516 that we use for public networking.

We have a single IP on the outside interface and IP a /22 block on the inside interface. The need has come up to privately IP something behind the firewall. So i have added an IP to VLAN1 of the switch for the new private IP range 172.17.67.0/24. Traffic can ping gateway and inside interface of ASA but cannot get to internet. I think i need some type of NAT as we have nothing in our NAT table except nonats for site to site VPN connections.

Does anyone have any examples of how we would NAT this?

basic layout with masked IP addresses

WAN<-->25.25.25.25 (outside)<-->25.26.26.26/22(inside)<-->172.17.67.1/24 (layer3 switch behind inside)

Thanks!

Re: Cisco ASA public and private network on inside interface

vsurresh — Tue, 04 Jun 2019 14:56:55 GMT

Try the below NAT command.

object-group network INSIDE-SUBNET

subnet 172.17.67.0 255.255.255.0

nat (inside,outside) dynamic interface

Re: Cisco ASA public and private network on inside interface

ChaneySys — Tue, 04 Jun 2019 15:03:17 GMT

Thanks for this. This may work in a dynamic case but looking for a static example sorry didn't specify. as host inside will be nat'd one to one to public IP. I have to open ports to the internet for the host so it cannot be outside interface ip.

inside inside

25.26.26.27 <--> 172.17.67.27 for example.

Re: Cisco ASA public and private network on inside interface

ChaneySys — Tue, 04 Jun 2019 16:07:30 GMT

I have added this as well and still do not get internet access 😞

@vsurresh wrote:
Try the below NAT command.
object-group network INSIDE-SUBNET
subnet 172.17.67.0 255.255.255.0
nat (inside,outside) dynamic interface

Re: Cisco ASA public and private network on inside interface

vsurresh — Tue, 04 Jun 2019 16:29:51 GMT

Do you want users to access this host via the public IP as well?
For example, users can internally access the host via 172.17.67.27:80 and external users can access it via 25.26.26.27:80
Is this what are you trying to achieve? If that is the case please add the below

object network host-name
host 172.17.67.27
nat (inside,outside) static 25.26.26.27 service tcp 80 80

You will also need inbound ACL to permit the traffic from outside to inside.

Re: Cisco ASA public and private network on inside interface

vsurresh — Tue, 04 Jun 2019 16:57:48 GMT

Can you please run a packet-tracer command and post the output?

#packet-tracer input inside tcp 172.17.67.27 25000 8.8.8.8 80

Re: Cisco ASA public and private network on inside interface

ChaneySys — Tue, 04 Jun 2019 19:28:43 GMT

@vsurresh wrote:
Can you please run a packet-tracer command and post the output?

#packet-tracer input inside tcp 172.17.67.27 25000 8.8.8.8 80

I executed this and it claims up and working but still do not get internet access on system IP'd 172.17.67.226 actually. But goes through NAT as expected.

Re: Cisco ASA public and private network on inside interface

ChaneySys — Tue, 04 Jun 2019 20:44:23 GMT

@vsurresh wrote:
Do you want users to access this host via the public IP as well?
For example, users can internally access the host via 172.17.67.27:80 and external users can access it via 25.26.26.27:80
Is this what are you trying to achieve? If that is the case please add the below

object network host-name
host 172.17.67.27
nat (inside,outside) static 25.26.26.27 service tcp 80 80

You will also need inbound ACL to permit the traffic from outside to inside.

Yes, that is what i am trying to achieve but the public IP address is on the inside interface not the outside. Outside has a single IP address and inside is /22 public IP's then i have the private also behind on interface inside.

I do have internet access now it ended up being a routing issue in the layer 3 switch.

Re: Cisco ASA public and private network on inside interface

venkat_n7 — Wed, 05 Jun 2019 03:07:13 GMT

WAN<-->25.25.25.25 (outside)<-->25.26.26.26/22(inside)<-->172.17.67.1/24 (layer3 switch behind inside)

Are you using the similar to above design currently, And if so Yes, how is existing connections working, when your L3 switch upstream interface connected to firewall is not in same subnet with firewall inside interface subnet?

- You said , you can reach firewall int -IP - 25.26.26.26 from 172.17.67.0/24 network, how is that possible?

Re: Cisco ASA public and private network on inside interface

ChaneySys — Thu, 13 Jun 2019 11:52:07 GMT

Sorry for the confusion but the NAT you gave me did work to get traffic from inside to outside on the proper IP address. I do have a route to point back to the layer 3 switch on the firewall to get traffic back to it.