topic CISCO ASA 5510 - Configuring with a range of public IP Addresses in Network Security

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Tue, 12 Mar 2019 03:12:49 GMT

Hi all,

I currently have an ASA 5510 firewall which is configured with 1x usable public IP address, which has a different default gateway/subnet to the below.

I need to keep the above and I also need to configure the firewall with the below range:

IP Range: 81.121.211.192/29

Subnet: 255.255.255.248

Gateway: 81.121.211.193 - Please use this as your default gateway.

For your use: 81.121.211.194 - 81.121.211.198 (inclusive)

Can you advise how this should be configured on the ASDM?

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni Forss — Wed, 04 Dec 2013 16:53:44 GMT

Hi,

You wont have to add this configuration on your ASA other than to configure the NAT configurations that use these IP addresses.

The ISP should route this network towards your current public IP address configured on your external ASA interface. Or if they dont route the network towards your ASA then they need to configure the new public subnet as a "secondary" address range on their gateway interface.

If you are running a newer ASA software and the ISP configures the new subnet on their gateway interface towards your ASA then you will need to add this configuration command

arp permit-nonconnected

In either case, you wont need to configure the IP address on any ASA interface or configure any additional routes on the ASA.

Hope this helps

- Jouni

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Thu, 05 Dec 2013 09:55:15 GMT

Thanks for this;

Couple of questions:

My ISP sent me this:

I will be allocating your additional range shortly, could you please advise how you would like this to be configured:

(1) As a secondary range with it's own default gateway.

(2) Use an IP from your current range which is live on your network (88.121.23.246). We will then configure a route for your new range with this IP as the next-hop.

88.121.23.246 is our current public address. What's the best way to have it setup?

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni Forss — Thu, 05 Dec 2013 10:00:32 GMT

Hi,

If you have an ASA firewall facing the ISP and the ISP has stated that they route the new public network towards your current external interface IP address then you wont need any ARP or interface/route related configurations.

You can just start configuring NAT with the new public IP addresses and start using them.

If you have doubts do a Static NAT for a test host on the internal network using a new public IP address and test connectivity.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Thu, 05 Dec 2013 10:59:21 GMT

Thank you for your fast reply.

I have noticed that the ISP as put in place (1) As a secondary range with it's own default gateway.

But what is the better option to go for?

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni Forss — Thu, 05 Dec 2013 12:31:22 GMT

Hi,

Which ever way the ISP does the configuration on their end it should be enough for you to start configuring NAT using the new public IP address space.

IF the ISP has NOT routed the network towards your current external IP address of the ASA then if you have a newer ASA software you have to add the command

arp permit-nonconnected

I still don't know what software you are using on the ASA.

Have you tried configuring a test host with the new public IP address and testing if it works?

- Jouni

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Thu, 05 Dec 2013 17:02:49 GMT

Hi Jouni,

It is ASA 8.2(5)

ASDM 6.4(5)

The ISP has NOT routed it towards the existing. I am using the ASDM, can you provide instructions as to how this should be configured?

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni Forss — Thu, 05 Dec 2013 17:16:01 GMT

Hi,

Would seem to me that you just start configuring NAT with the new public subnet just like you have done so far for the existing public subnet you are using already.

You should NOT need any extra configurations, just start configuring NAT using those IP address as needed and test connectivity.

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Wed, 11 Dec 2013 14:10:47 GMT

Hi Jouni,

Sorry for slow reply.

I need to get this configured,

Do I need to configure a new interface on my asa5510 since my ISP is NOT routing towards my existing public ip?

I only have 2 available WAN ports on the asa5510, but 5 usuable public ip addresses.

For your use: 81.121.211.194 - 81.121.211.198 (inclusive)

IP Range: 81.121.211.192/29

Subnet: 255.255.255.248

Gateway: 81.121.211.193

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni Forss — Wed, 11 Dec 2013 14:14:48 GMT

Hi,

You should not need any new interface or route configurations on the ASA.

I assume that you have gotten the public IP address range to be used as NAT IP address on the ASA? If so then you should be able to configure them on the ASA if the ISP has configured their portion.

As I suggest before, I would put some test laptop on the LAN network and configure NAT for it using the new public IP address range and testing connectivity.

- Jouni

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Wed, 11 Dec 2013 14:24:51 GMT

"I assume that you have gotten the public IP address range to be used as NAT IP address on the ASA?"

How do I do this? Ask my ISP?

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni Forss — Wed, 11 Dec 2013 14:29:09 GMT

Hi,

You dont have to ask the ISP for anything if they have already configured their part. You have mentioned that they have configured the new public subnet on their end as a "secondary" network? If this is true then it should be usable at the moment.

Again I would suggest that you configure Static NAT using one of the new public IP address for some test host on the LAN and actually test traffic.Configuring NAT with the original public IP address space you had and this new one isnt in any way different.

- Jouni

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Wed, 11 Dec 2013 17:03:02 GMT

Hi,

Internally I can telnet to 192.168.1.221 on 443

But I am not able to telnet to 81.121.211.194 externally.

I have added the above nat rule, anything I need to do?

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni Forss — Wed, 11 Dec 2013 17:12:50 GMT

Hi,

You would have to add an "access-list" rule on the external interfaces ACL to allow traffic to this host that has the NAT.

Seems you have configured Static PAT (Port Forward) for port TCP/443

- Jouni

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Wed, 11 Dec 2013 17:18:09 GMT

Yes I want to forward public traffic for 443 to 81.121.221.194 which Nats to 192.168.1.221

on the ASDM, do I just need to add an access rule?

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Wed, 11 Dec 2013 17:22:26 GMT

like this?

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Thu, 12 Dec 2013 09:13:07 GMT

Any further thoughts?

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni Forss — Thu, 12 Dec 2013 09:16:49 GMT

Hi,

Is the IP address correct? You talk about x.x.211.x and x.x.221.x IP addresses in the above posts. Check which one is the correct public IP address and use it in the NAT and ACL configurations.

After that you can try the "packet-tracer" command

packet-tracer input outside tcp 8.8.8.8 12345 443

Post the output of the above command.

It should tell us if there is any problem with the ASA configurations

- Jouni

CISCO ASA 5510 - Configuring with a range of public IP Addresses

unrealone1 — Thu, 12 Dec 2013 11:20:59 GMT

Yes Public ip is correct 81.121.211.194 and lan ip is 192.168.1.221 is correct.

Thanks for the command, I ran it, see results below:

CISCO ASA 5510 - Configuring with a range of public IP Addresses

Jouni Forss — Thu, 12 Dec 2013 11:30:50 GMT

Hi,

It doesnt show the whole output.

Can you copy/paste the output that is shown in the Response -window.

Have you tested connection from the Internet towards this public IP address and have you chekced what happens to the connections? Have you checked that the ACLs hit counter increases as you attempt the connection from the Internet?

- Jouni