topic Re: global (outside) in Network Security

global (outside)

alan-wong — Tue, 12 Mar 2019 02:37:30 GMT

Hi. my company running ASA with inside and outside interface. Example below. Could you tell me why there are two difference global (outside) pool. However. the global (outside) 2 123.123.123.123 does not have IP address in interface and this subnet does not have ip route to outside.

1) How does it works without physical interface using on 123.123.123.123 subnet ?

2) How does it receive outside to inside PAT traffic without phsyical inteface using?

ASA Version 8.2(5)

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 111.111.111.111 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

global (outside) 1 111.111.111.222 netmask 255.255.255.255
global (outside) 2 123.123.123.123 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 111.111.111.1 1

global (outside)

Jouni Forss — Thu, 12 Sep 2013 09:39:53 GMT

Hi,

The configuration can be valid.

The ASA can only have a single IP address/subnet configured directly on its interface. This however doesnt prevent you from using multiple different subnets on the interface with NAT.

For the second subnet/address to work properly either of the 2 must be true about the ISP Router/Gateway in front of the ASA

It must have the second subnet configured directly under its interface connecting to the ASA as a "secondary" address range (something that is not possible in the ASA interface configuration mode as we noticed). In this setup the ISP Router/Gateway will ARP for the MAC address of the second subnet/address and the ASA will reply with its interface MAC address and this enables the traffic to be forwarded correctly.

The ISP Router/Gateway must have a route for the second subnet/address and the next hop must be the interface IP address of the ASA. In this situation the ISP Router/Gateway WONT ARP for the MAC address since the second subnet/address is not directly connected from the ISP Router/Gateways perspective. It will therefore forward any traffic destined to the second subnet/address to the ASA using the ASA interface IP address as the next hop.

With either of the above mentioned ways, it will work just fine. The first option might require some additional configurations on some newer software levels but your seem to be the older version so there is no problem.

You wont need any additional "route" configuration. Your current default route configuration will handle everything that is needed.

- Jouni

Re: global (outside)

alan-wong — Thu, 12 Sep 2013 11:30:54 GMT

But how come 123.123.123.123 can also be reach by 111.111.111.111 interface. I do not quite understand it? Please help.

Sent from Cisco Technical Support iPhone App

global (outside)

Jouni Forss — Thu, 12 Sep 2013 11:44:32 GMT

Hi,

I just explained it in the above reply.

I mentioned the 2 ways your above mentioned ASA configuration could have been handled from the ISP side and still work normally.

Your above configurations is very typical in situations where a company has several public subnets.

The ISP side might be configured like this

Example 1

interface GigabitEthernet1/1

description CUSTOMER

ip address 111.111.111.1 255.255.255.0

ip address 123.123.123.1 255.255.255.0 secondary

Example 2

interface GigabitEthernet1/1

description CUSTOMER

ip address 111.111.111.1 255.255.255.0

ip route 123.123.123.0 255.255.255.0 111.111.111.111

Unline in the above first example where ISP gateway interface has 2 networks/subnet configured on it, this is not possible on the ASA. In the ASAs case the WAN interface holds one subnet and rest of the subnets are only present in the NAT configurations.

So when we look at the 2 ISP configurations above the following would happen in them

Example 1

Packet arrives on the ISP gateway with destination IP address 123.123.123.123
ISP gateway sees that its part of a directly connected network in its GigabitEthernet1/1 interface
Because the destination IP address is part of a directly connected network the ISP gateway will next try to determine the MAC address of the device that owns the IP address 123.123.123.123
ISP Gateway sends an ARP Request and the ASA replys to this ARP request with its own WAN interfaces MAC address.
ISP gateway forwards the packet to the ASA
ASA has a NAT configurations for this IP 123.123.123.123 and an existing Dynamic PAT translation using the IP address 123.123.123.123 and therefore lets the packet pass to the actual hosts on the internal network.

Example 2

Packet arrives on the ISP gateway with destination IP address 123.123.123.123
ISP gateway sees that it has a routing table entry for the network 123.123.123.0/24 and its pointing to the next hop IP address of 111.111.111.111, therefore ISP gateway has to forward the packet destined to 123.123.123.123 to the next hop IP address of 111.111.111.111
The IP address 111.111.111.111 is part of a directly connected network to the ISP gateway
Because the destination IP address is part of a directly connected network the ISP gateway will next try to determine the MAC address of the device that owns the IP address 111.111.111.111
ISP Gateway sends an ARP Request and the ASA replys to this ARP request with its own WAN interfaces MAC address.
ISP gateway forwards the packet to the ASA
ASA has a NAT configurations for this IP 123.123.123.123 and an existing Dynamic PAT translation using the IP address 123.123.123.123 and therefore lets the packet pass to the actual hosts on the internal network.

- Jouni

Re: global (outside)

alan-wong — Thu, 12 Sep 2013 12:09:56 GMT

Thx. That means all 111.111.111.111 and 123.123.123.123 routing is take care by ISP. I just apply global (outside) 2 123.123.123.123 can also accept from 111.111.111.111 interface. Am I correct?

Sent from Cisco Technical Support iPhone App

global (outside)

Jouni Forss — Thu, 12 Sep 2013 12:15:04 GMT

Hi,

Provided that the ISP has handles its part correctly with regards to their gateway configurations you should be able to use your original posts configurations just fine.

You could even have a third or fourth subnets (or whatever amount you want) NAT configurations on the "outside" interface and they would work just as long as the ISP gateway would be configured correctly to forward the traffic (and naturally you would have to make sure you have configured the NAT properly)

You could for example have these configurations

global (outside) 1 111.111.111.222

global (outside) 2 123.123.123.123

nat (inside) 1 10.10.10.0 255.255.255.0

nat (inside) 2 10.10.20.0 255.255.255.0

The above configurations would basically mean that hosts in network 10.10.10.0/24 would have Dynamic PAT translation using IP address 111.111.111.222 towards any network behind "outside" interface and hosts in network 10.10.20.0/24 would have Dynamic PAT translation using IP address 123.123.123.123 towards any network behind "outside" interface.

- Jouni

Re: global (outside)

alan-wong — Thu, 12 Sep 2013 12:21:28 GMT

Thank you so so much

Sent from Cisco Technical Support iPhone App

Re: global (outside)

alan-wong — Thu, 12 Sep 2013 13:02:49 GMT

May I know why need Tcp and UDP max connection to the local host like below example?

nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000

Sent from Cisco Technical Support iPhone App