topic Cisco ASA 5515-x multiple public IP address blocks in Network Security

Cisco ASA 5515-x multiple public IP address blocks

shelleylynn — Tue, 12 Mar 2019 01:59:48 GMT

Good morning,

I am trying to install a new ASA 5515-x (OS 9.1) firewall in place of our old PIX 515-E (OS 6.4) firewall and I am having some difficulties.

I've been reading through the forum and I have found other people who are having issues with multiple public IP address blocks on their ASA appliances, but I tried adding arp permit-nonconnected as suggested and it didn't fix the problem. I am wondering now if there is something else wrong with my config and I'm hoping that someone here can help me with it.

My two public IP blocks are x.x.131.212 255.255.255.248 and y.y.56.200 255.255.255.248

My internal network is 10.0.0.x

The DMZ is 192.168.40.x

The parts I'm concerned about are the NATing and the ACLs.

Here is my config:

gw(config)# show run

: Saved

ASA Version 9.1(1)

hostname gw

domain-name ****.ca

enable password **** encrypted

passwd **** encrypted

names

name 10.0.0.3 AS400

name 10.0.0.27 DC-01

name 10.0.0.25 FS-01

name 10.0.0.26 FS-01-26

name 10.0.0.18 Faxserver

name 10.0.0.36 SpamFilter

name 10.0.0.5 WebFilter

name 192.168.40.213 VS-02

name 10.0.0.73 APP-02

name 10.0.0.72 APP-01

name 10.0.0.70 VS-01

name 192.168.40.218 WEB-02

name x.x.131.114 WEB-02_OUTSIDE

ip local pool Remote_Address 10.0.5.10-10.0.5.100 mask 255.255.255.0

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.131.114 255.255.255.248

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

interface GigabitEthernet0/1.2

vlan 2

nameif VOIP

security-level 100

ip address 10.0.10.1 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 4

ip address 192.168.40.1 255.255.255.0

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ftp mode passive

clock timezone MST -7

dns server-group DefaultDNS

domain-name firstcanadian.ca

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network AS400

host 10.0.0.3

object network FS-01

host 10.0.0.25

object network Exchange

host 10.0.0.35

object network APP-01

host 10.0.0.72

object network SpamFilter

host 10.0.0.36

object network WEB-02

host 192.168.40.218

object network WEB-02_outside

host 67.226.131.114

object network DMZ_IP_RANGE

subnet 192.168.40.0 255.255.255.0

object network inside_IP_RANGE

subnet 10.0.0.0 255.255.255.0

object network VOIP_IP_RANGE

subnet 10.0.10.0 255.255.255.0

object network NETWORK_OBJ_10.0.5.0_25

subnet 10.0.5.0 255.255.255.128

object network Remote_inside_drs

subnet 10.0.1.0 255.255.255.0

object network NETWORK_OBJ_10.0.0.0_24

subnet 10.0.0.0 255.255.255.0

object network Remote_inside_drs_DMZ

subnet 192.168.41.0 255.255.255.0

object-group service Mail tcp

description "Allow Mail Traffic from Outside"

port-object eq https

port-object eq 8080

port-object eq 444

port-object eq 465

port-object eq 995

port-object eq 993

port-object eq 587

port-object eq imap4

port-object eq pop3

object-group service WebAccess tcp

description "Allow Web Traffic to Web Service"

port-object eq www

port-object eq https

object-group service CA400_ODBC tcp

description "Allow traffic from WEB-02 to AS400"

port-object eq 446

object-group service Spamfilter tcp

description "Allow Mail Traffic to the Spamfilter"

port-object eq smtp

port-object eq ssh

object-group service IntWebApp tcp

description "Allow Internal Traffic from WEB-02 to APP-01"

port-object eq 8383

object-group icmp-type PingTraffic

description "Allow Echo Echo-Reply Unreachable and Time-Exceeded Traffic"

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list ACL_OUT remark Allow Echo, Echo-Reply, Unreachable and Time-Exceeded on Outside

access-list ACL_OUT extended permit icmp any x.x.131.0 255.255.255.0 object-group PingTraffic log

access-list ACL_OUT remark Allow Echo, Echo-Reply, Unreachable and Time-Exceeded on Outside

access-list ACL_OUT extended permit icmp any y.y.56.0 255.255.255.0 object-group PingTraffic log

access-list ACL_OUT remark "Allow Ping to WEB-02 on Outside"

access-list ACL_OUT extended permit icmp any object WEB-02 object-group PingTraffic log

access-list ACL_OUT remark "Allow HTTP and HTTPS to WEB-02_outside"

access-list ACL_OUT extended permit tcp any object WEB-02 object-group WebAccess log

access-list ACL_OUT remark "Allow Mail Traffic from Outside to Exchange"

access-list ACL_OUT extended permit tcp any object Exchange object-group Mail log

access-list ACL_OUT remark "Allow Mail Traffic from Outside to SpamFilter"

access-list ACL_OUT extended permit tcp any object SpamFilter object-group Spamfilter log

access-list ACL_OUT remark "Allow Hosts in DMZ to Browse Internet"

access-list ACL_OUT extended permit udp object WEB-02 any eq domain log

access-list ACL_OUT remark "Allow Site to Site VPN Traffic"

access-list ACL_OUT extended permit esp any 10.0.0.0 255.255.255.0

access-list ACL_OUT extended permit udp any eq 4500 10.0.0.0 255.255.255.0 eq 4500

access-list ACL_OUT extended permit udp any eq isakmp 10.0.0.0 255.255.255.0 eq isakmp

access-list ACL_DMZ remark "Allow echo,echo-reply,unreachable and time-exceeded on Outside"

access-list ACL_DMZ extended permit icmp object DMZ_IP_RANGE any object-group PingTraffic log

access-list ACL_DMZ remark "Allow FTP Access from DMZ to FS-01 on Inside"

access-list ACL_DMZ extended permit tcp object WEB-02 object FS-01 eq ftp

access-list ACL_DMZ remark "Allow Access from WEB-02 in DMZ to AS400"

access-list ACL_DMZ extended permit tcp object WEB-02 object AS400 object-group CA400_ODBC

access-list ACL_DMZ remark "Allow Access from WEB-02 in DMZ to FCIC-APP-01"

access-list ACL_DMZ extended permit tcp object WEB-02 object APP-01 object-group IntWebApp

access-list ACL_DMZ extended permit udp object DMZ_IP_RANGE any eq domain

access-list ACL_DMZ extended permit tcp object DMZ_IP_RANGE any eq www

access-list ACL_DMZ extended permit tcp object DMZ_IP_RANGE any eq https

access-list Tunnel_Group_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 object Remote_inside_drs

access-list Remote_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

access-list Remote_splitTunnelAcl standard permit 192.168.40.0 255.255.255.0

access-list vpn-access extended permit ip 192.168.40.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object Remote_inside_drs

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu VOIP 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static inside_IP_RANGE inside_IP_RANGE destination static NETWORK_OBJ_10.0.5.0_25 NETWORK_OBJ_10.0.5.0_25 no-proxy-arp

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static Remote_inside_drs Remote_inside_drs no-proxy-arp route-lookup

object network Exchange

nat (any,any) static y.y.56.204

object network SpamFilter

nat (any,any) static x.x.131.113

object network WEB-02

nat (any,any) static WEB-02_outside

object network DMZ_IP_RANGE

nat (DMZ,outside) dynamic interface

object network inside_IP_RANGE

nat (inside,outside) dynamic interface

object network VOIP_IP_RANGE

nat (VOIP,outside) dynamic interface

access-group ACL_OUT in interface outside

access-group ACL_DMZ in interface DMZ

router rip

passive-interface default

arp permit-nonconnected

route outside 0.0.0.0 0.0.0.0 y.y.56.206 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

***crypto section removed to save space

telnet 192.168.0.99 255.255.255.255 outside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

split-tunnel-policy tunnelspecified

username test password **** encrypted privilege 15

*removed Tunnel info to save space

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect http

inspect ipsec-pass-thru

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

password encryption aes

Cryptochecksum:****

: end

gw(config)#

Cisco ASA 5515-x multiple public IP address blocks

shelleylynn — Tue, 18 Jun 2013 19:19:40 GMT

I've been reading through the discussion boards and have changed my ACLs to reflect the suggestions made in other discussions.

I want to allow some traffic from the DMZ to the Inside, Web traffic to my web server in the DMZ and Email traffic to my email servers on the inside. I also want users on the inside and in the DMZ to be able to access the internet. Can someone please give this a quick review and let me know if my rules look ok?

access-list ACL_OUT remark "Allow Ping to WEB-02 on Outside"
access-list ACL_OUT extended permit icmp any object WEB-02 object-group PingTraffic log
access-list ACL_OUT remark "Allow HTTP and HTTPS to WEB-02_outside"
access-list ACL_OUT extended permit tcp any object WEB-02 object-group WebAccess log
access-list ACL_OUT extended permit icmp any object Exchange object-group PingTraffic
access-list ACL_OUT remark "Allow Mail Traffic from Outside to Exchange"
access-list ACL_OUT extended permit tcp any object Exchange object-group Mail log
access-list ACL_OUT extended permit icmp any object SpamFilter object-group PingTraffic
access-list ACL_OUT remark "Allow Mail Traffic from Outside to SpamFilter"
access-list ACL_OUT extended permit tcp any object SpamFilter object-group Spamfilter log
access-list ACL_OUT remark "Allow Site to Site VPN Traffic"
access-list ACL_OUT extended permit esp any 10.0.0.0 255.255.255.0
access-list ACL_OUT extended permit udp any eq 4500 10.0.0.0 255.255.255.0 eq 4500
access-list ACL_OUT extended permit udp any eq isakmp 10.0.0.0 255.255.255.0 eq isakmp

access-list ACL_DMZ remark "Allow FTP Access from DMZ to FS-01 on Inside"
access-list ACL_DMZ extended permit tcp object WEB-02 object FS-01 eq ftp
access-list ACL_DMZ remark "Allow Access from WEB-02 in DMZ to AS400"
access-list ACL_DMZ extended permit tcp object WEB-02 object AS400 object-group CA400_ODBC
access-list ACL_DMZ remark "Allow Access from WEB-02 in DMZ to APP-01"
access-list ACL_DMZ extended permit tcp object WEB-02 object APP-01 object-group IntWebApp
access-list ACL_DMZ extended permit tcp host 192.168.40.204 object FS-01 object-group DMZtoInsideDomainTCP
access-list ACL_DMZ extended permit udp host 192.168.40.204 object FS-01 object-group DMZtoInsideDomainUDP
access-list ACL_DMZ remark Deny all other access from DMZ to Inside
access-list ACL_DMZ extended deny ip 192.168.40.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list ACL_DMZ extended deny ip 192.168.40.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list ACL_DMZ remark Allow all other DMZ traffic out
access-list ACL_DMZ extended permit ip 192.168.40.0 255.255.255.0 any

Cisco ASA 5515-x multiple public IP address blocks

shelleylynn — Tue, 18 Jun 2013 20:54:56 GMT

Hi,

We're putting the new ASA in tonight, so just to cover all of my bases, what routes do I need to have set up for the multiple public IP subnets?

I've got:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address y.y.56.201 255.255.255.248

arp permit-nonconnected

route outside 0.0.0.0 0.0.0.0 y.y.56.206 1 (that is the gateway for the first subnet)

Do I need to also route my second subnet to the outside IP of my ASA like this:

route outside x.x.131.212 255.255.255.248 y.y.56.201 1

Or should that traffic be routed out through my primary gateway of y.y.56.206 along with the rest of the traffic?

Thank you in advance for any help you can give me!!

Re: Cisco ASA 5515-x multiple public IP address blocks

Ron_Boyd57 — Wed, 19 Jun 2013 01:49:24 GMT

Sorry I misread your intentions. I'll review our setup and see if I can shed some light. BTW: we have 1 5515 and several 5520's

Sent from Cisco Technical Support iPad App

Cisco ASA 5515-x multiple public IP address blocks

shelleylynn — Wed, 19 Jun 2013 13:04:15 GMT

Thank you Ron! Any help you can give me would be greatly appreciated.

Cisco ASA 5515-x multiple public IP address blocks

Jouni Forss — Wed, 19 Jun 2013 13:50:29 GMT

Hi,

I am a bit confused why I am seeing both "arp permit-nonconnected" and "no arp permit-nonconnected" in your configuration.

If your ISP has configured both public subnets on their gateway interface then the "arp permit-nonconnected" should be enough to enable ARP to work so that the secondary nonconnected subnet can be used for NAT.

You should also check that you dont see the following in your configuration

sysopt noproxyarp outside

You can confirm this with the command

show run all sysopt

If you see "no sysopt noproxyarp outside" then everything should be fine. If you see "sysopt noproxyarp outside" then you will have ARP problems.

When I look at your NAT configurations its mostly seems OK. Though naturally I personally like to keep the naming of objects consistent and clear. The only real thing I would immediately change is the Static NAT configurations.

Here is how you have configured NAT and how I would configure the NAT

CURRENT CONFIGURATION

nat (inside,outside) source static inside_IP_RANGE inside_IP_RANGE destination static NETWORK_OBJ_10.0.5.0_25 NETWORK_OBJ_10.0.5.0_25 no-proxy-arp

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static Remote_inside_drs Remote_inside_drs no-proxy-arp route-lookup

object network Exchange

nat (any,any) static y.y.56.204

object network SpamFilter

nat (any,any) static x.x.131.113

object network WEB-02

nat (any,any) static WEB-02_outside

object network DMZ_IP_RANGE

nat (DMZ,outside) dynamic interface

object network inside_IP_RANGE

nat (inside,outside) dynamic interface

object network VOIP_IP_RANGE

nat (VOIP,outside) dynamic interface

MY CONFIGURATION

NAT0 CONFIGURATINS FOR VPN

object network VPN-POOL

subnet 10.0.5.0 255.255.255.128

object network INSIDE

subnet 10.0.0.0 255.255.255.0

object network REMOTE-SITE

subnet 10.0.1.0 255.255.255.0

nat (inside,outside) source static INSIDE INSIDE destination static VPN-POOL VPN-POOL

nat (inside,outside) source static INSIDE INSIDE destination static REMOTE-SITE REMOTE-SITE

BASIC DYNAMIC PAT

object-group network DEFAULT-PAT-SOURCE

network-object 10.0.0.0 255.255.255.0

network-object 10.0.10.0 255.255.255.0

network-object 192.168.40.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

STATIC NAT

If you only want to NAT these servers to public IP address towards the "outside"

object network Exchange

host 10.0.0.35

nat (inside,outside) static y.y.56.204

object network SpamFilter

host 10.0.0.36

nat (inside,outside) static x.x.131.113

object network WEB-02

host 192.168.40.218

nat (DMZ,outside) static x.x.131.114

If you want to NAT these servers to public IP address towards ANY interface on the ASA

object network Exchange

host 10.0.0.35

nat (inside,any) static y.y.56.204

object network SpamFilter

host 10.0.0.36

nat (inside,any) static x.x.131.113

object network WEB-02

host 192.168.40.218

nat (DMZ,any) static x.x.131.114

I am also somewhat confused as you mention you have 2 public subnets. You mention the end part of the IP address and the network mask. But when I compare one of these to the end of the IP address on your "outside" interface they dont really match? I mean they cant belong to the same /29 subnet.

What you should first determine is that naturally the NAT configurations for the directly connected network configured to your "outside" interface is working correctly.

When this is done you should try to determine what is the situation with the secondary subnet that is not configured on any interface but rather as NAT IP addresses on the ASA.

What you could do is

If you have Static NAT configured using one of the public IP addresses from the nonconnected network then attempt connections to it from the the Internet.
Then issue the command "show arp | inc outside" and look if you can see any ARP table markings for that public secondary subnet. The ISPs gateway IP addresses IP/MAC should be visible in the command output IF the ASA is populating its ARP table with the nonconnected networks IP addresses.
If its showing after the tests and you are still having problems then I would assume there is either some problems with the ASA configurations OR some problem behind the ASA on the local network.

A good tool to test ASA configured rules is to use the "packet-tracer" command. It will simulate a connection through your firewall and tell which rules it hits and if the connection is allowed or dropped

The basic configuration format is

packet-tracer input

If you will the above fields with the correct information related to what you are trying to get working then you should see wha the problem is if there is a problem with the ASA configurations.

Hope this helps

- Jouni

Re: Cisco ASA 5515-x multiple public IP address blocks

Jouni Forss — Wed, 19 Jun 2013 13:57:59 GMT

Hi,

To answer your other question about routes.

You will only need to configure the default route pointing towards your ISP gateway IP address of the network that is part of the connected network between the ISP gateway and your ASAs "outside" interface.

You dont need routes on the ASA for the other nonconnected public subnets.

- Jouni

Cisco ASA 5515-x multiple public IP address blocks

shelleylynn — Wed, 19 Jun 2013 14:06:52 GMT

Thank you so much for your help, Jouni! I'm going to go through my config again now and see if I can apply some of your suggestions.

Shelley

Re: Cisco ASA 5515-x multiple public IP address blocks

shelleylynn — Thu, 20 Jun 2013 14:31:37 GMT

We tried installing our new firewall last night, but it still didn't work properly. We can access the internet from inside and our phone system on VLAN 1 worked, but no traffic seems to be able to get into the firewall. I can't ping any of my public IPs and our web server and email server are not visible outside of the network.

I did a packet trace from the outside to our web server and it comes back with Allowed, so I don't understand what could be wrong.

If anyone has a few minutes to have a look at this for me, I would really appreciate it! We're going to purchase a SmartNet contract, but I would much prefer to be able to sort this with your help and repair some of the damage to my ego.

Here is the results of the show xlate command:

gw(config)# show xlate

8 in use, 8 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

NAT from inside:10.0.0.0/24 to outside:10.0.0.0/24