topic Multiple interfaces in outside VLAN in Network Security

Multiple interfaces in outside VLAN

nathan_hanks — Tue, 12 Mar 2019 01:00:25 GMT

This is for an ASA 5505 with the base license...

I have a situation where I will not have one interface in my outside VLAN, but instead I want to have interfaces 1-7 in my outside VLAN and interface0/0 in my inside VLAN.

Is this supported with the Base license, and if so how would I do this? Do I still just need to assign one IP address to the outside VLAN?

Or will I need to upgrade to the Security Plus license and put each interface in a separate outside VLAN, so in essence I would have 7 outside VLANs each with the same security level (0)?

My situation is that I have several partner networks that i want to "aggregate" thru my one ASA 5505. So each outside interface represents a separate partner (outside) network, each of which I want to get to from my inside network. Hence the many outside to one inside.

Thanks in advance and appreciate any help.

Re: Multiple interfaces in outside VLAN

Jouni Forss — Wed, 13 Feb 2013 17:20:53 GMT

Hi,

I guess the question is how are you planning on connection all those Partner Networks to the ASA? I'm not sure if I get the whole picture here.

Is there a completely separate physical connection coming from all the Partner Networks to your site and at your site you want to gather all the connections to the ASA forward all the traffic through the ASA5505 before entering your local network?

Or are you planning on some kind of L2L VPN setup or what?

- Jouni

Multiple interfaces in outside VLAN

nathan_hanks — Wed, 13 Feb 2013 20:00:51 GMT

JouniForss wrote:

- Jouni

Yes - this is my intent. Essentially I am bringing in many "outside" connections into one "inside" connection. All connections will be initiated from the inside.

Multiple interfaces in outside VLAN

Jouni Forss — Wed, 13 Feb 2013 20:23:28 GMT

Hi,

Heres what I am assuming

You have 7 separate physical connections coming to the location with the ASA5505
Each connections router will be connected to the ASAs physical port
The ASA will have no actual "outside" interface for Internet traffic?

I guess in this case it might even be possible to use Base License (are we talking about a 10 user limit when checking the "show version" output?)

You could try to

Configure a link network/subnet on the "outside" interface of the ASA. All the other connections router would also have an interface belonging to this link network/subnet
Add route configurations for the Partner Networks on the ASA "outside" interface pointing to the different routers
Add routes for your "inside" network on the mentioned routers that would point to the ASA "outside" interface IP address

I'm kinda wondering also that IF you have 10 user license then you will probably need to configure a default route pointing somewhere on the "outside" since the host behind the interface with the default route wont be counted towards the user limit.

Heres one discussion from these forums that clarifies the above a bit

https://supportforums.cisco.com/thread/2144579

There should also be Cisco document about the ASA5505 models user limits.

- Jouni

Multiple interfaces in outside VLAN

nathan_hanks — Wed, 13 Feb 2013 21:06:00 GMT

JouniForss wrote:

Hi,

Heres what I am assuming

You have 7 separate physical connections coming to the location with the ASA5505
Each connections router will be connected to the ASAs physical port
The ASA will have no actual "outside" interface for Internet traffic?

I guess in this case it might even be possible to use Base License (are we talking about a 10 user limit when checking the "show version" output?)

You could try to

Configure a link network/subnet on the "outside" interface of the ASA. All the other connections router would also have an interface belonging to this link network/subnet
Add route configurations for the Partner Networks on the ASA "outside" interface pointing to the different routers
Add routes for your "inside" network on the mentioned routers that would point to the ASA "outside" interface IP address

Heres one discussion from these forums that clarifies the above a bit

https://supportforums.cisco.com/thread/2144579

There should also be Cisco document about the ASA5505 models user limits.

- Jouni

Jouni - thanks for your time!

To answer your questions:

1. all your assumptions are correct

2. For each physical connection, there would be one long running TCP session - so there would be 7 connections per ASA, originating from an inside server to one host on each of the partner networks.

3. On all the route configurations you mention that is what I intended.

My resulting question is this:

How would I configure NAT in this instance?

Re: Multiple interfaces in outside VLAN

Jouni Forss — Wed, 13 Feb 2013 21:24:04 GMT

Hi,

The NAT configuration depends on your ASA software. It might even be that you would not need to configure ANY NAT at all

I actually didnt think one of the things through and that is that you would actually have 2 options how to handle the routing between the Partner Network routers and your "inside" network.

The first option which I have already said would be to add a route on every Partner Network router that tells that you "inside" network is found behind the ASA "outside" interface IP address. If your "inside" network is something that doesnt overlap with any of the Partner Networks you wont really need to do any NAT. Depending on your software the ASA might behave a bit differently
- On ASA 8.2 software you have to make sure the "nat-control" is on its default setting which is "no nat-control". If the default setting is on, you shouldnt see any mention of "nat-control" in the CLI configuration. However if "nat-control" is enabled, you should see it right above the first "global" configuration command in the CLI configuration
- On ASA 8.3 and newer software you could simply leave the ASA without ANY NAT configurations and it would simply route traffic in between and perform statefull firewalling only.
The second option would be to leave out configuring the routes on the Partner Network routers and simply NAT all traffic from the "inside" network to the "outside" interface IP address on the ASA with PAT translation. Since all the Partner Network routers are connected to the same link network/subnet with the ASA they wouldnt need a route for that PAT address on the ASA. They would see it as part of a "directly connected" network.

EDIT: Heres a link to the ASA 8.2 software Command Reference and the command "nat-control"

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1746857

Hopefully I made any sense and the information was helpfull

- Jouni