topic Handling multiple subnets, NAT, port forwarding... (ASA5510, 9.1 in Network Security

Handling multiple subnets, NAT, port forwarding... (ASA5510, 9.1)

maramamarama — Tue, 12 Mar 2019 00:55:56 GMT

Hello there!

Am a novice myself, am making slow progress but there is an issue I've already lost a lot of time with and was thinkging maybe I can find some help here.

Our ISP assigned us 3 subnets, each with it's own gateway.

The idea now is to have the 5510 handle all the IPs and manage the NAT and basic routing for all the IPs in the 3 subnets. Some of them would en in DMZ, some in intranet. The goal is to achieve that in one interface and not using the separate ethernet ports for separate subnets. I've tried creating subinterfaces (Ethernet 0/0.1, 0/0.2) for each subnet but that did't work.

I know ASA is not a router, but I found several topics claiming it is possible, but those topics were either for 5505 or for pre 8.3 ASA. As I understood, I should NAT the subnets 2 and 3 into subnet 1 and then handle it from there. Anyone can direct me in right direction on how to achieve that?

tia

Handling multiple subnets, NAT, port forwarding... (ASA5510, 9.1

Jouni Forss — Mon, 04 Feb 2013 13:31:09 GMT

Hi,

So you are saying that you have 3 public subnets allocated from the ISP and want to use them on the ASA?

Can you clarify are you going to use them on the ASA "outside" interface or are you going to use some of the ranges behind the ASA as either directly connected networks on the ASA itself or route them towards the LAN?

A simple picture of your needs might also clarify the setup you are going for.

- Jouni

Handling multiple subnets, NAT, port forwarding... (ASA5510, 9.1

maramamarama — Mon, 04 Feb 2013 14:06:13 GMT

Yes, 3 public subnets allocated from the ISP and we want ASA to handle all of them. Most ot the IPs would end up on used for port forwarding... but some of them would stay on the outside but behind firewall (DMZ if I understand correctly) so ASA would be able to do ACL on those public IPs.

We asked the ISP to give us more IPs so that's how we ended up with multiple subnets in the first place (I'd be happy with single bigger subnet). So now we have enough IPs to assign to all the servers we want to have exposed and redirected to intranet, but I need to configure ASA to be able to handle them.

I don't want the exposed mailserver (in different subnet) talking directly to the oustide becasue then I cannot control the traffic.

ISP --> ASA --> Intranet router --> intranet clients

--> public mailserver

--> public webserver

--> public webserver2

quite usual setup - but in my case with multiple subnets.

Did I explain it well?

Re: Handling multiple subnets, NAT, port forwarding... (ASA5510,

Jouni Forss — Mon, 04 Feb 2013 14:31:02 GMT

Hi,

So I am assuming that all of the public IP addresses are to be used on the ASA itself as NAT IP addresses

I can only give you some configuration examples but nothing really specific since I dont have the exact information of the setup you have.

ISP gateway

First subnet as the connected network between ISP and ASA
Second and Third subnet routed towards ASA "outside" interface IP address

interface

description Customer Gateway

ip address 1.1.1.1 255.255.255.248

ip route 2.2.2.0 255.255.255.248 1.1.1.2

ip route 3.3.3.0 255.255.255.248 1.1.1.2

ASA

Interfaces & Default Route

interface

description Firewall Outside

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.248

route outside 0.0.0.0 0.0.0.0 1.1.1.1

interface

description LAN

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

interface

description DMZ

nameif dmz

security-level 50

ip add 192.168.10.1 255.255.255.0

Static NATs

object network DMZ-SERVER-1

host 192.168.10.10

nat (dmz,outside) static 2.2.2.1 dns

object network DMZ-SERVER-2

host 192.168.10.20

nat (dmz,outside) static 2.2.2.2 dns

object network LAN-SERVER-1

host 10.10.10.10

nat (inside,outside) static 3.3.3.1 dns

object network LAN-SERVER-2

host 10.10.10.20

nat (inside,outside) static 3.3.3.2 dns

OUTSIDE ACL

access-list OUTSIDE-IN remark Open services to DMZ and LAN servers

access-list OUTSIDE-IN remark DMZ Servers

access-list OUTSIDE-IN permit tcp any object DMZ-SERVER-1 eq

access-list OUTSIDE-IN permit tcp any object DMZ-SERVER-2 eq

access-list OUTSIDE-IN remark LAN Servers

access-list OUTSIDE-IN permit tcp any object LAN-SERVER-1 eq

access-list OUTSIDE-IN permit tcp any object LAN-SERVER-2 eq

access-group OUTSIDE-IN in interface outside

Default PAT rules

Using "outside" interface IP as PAT IP address

object-group network DEFAULT-PAT-SOURCE

description Source network for default PAT

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Those are just some examples.

Configurations naturally change if you decide to use the public subnets directly on the DMZ interface or further in your network. Then you naturally need to make sure through configurations that when those public addressed host traverse the ASA, their connections wont for example fall to the default PAT rule or something else along those lines (in the above example we did specify clearly the source networks for PAT)

- Jouni

Handling multiple subnets, NAT, port forwarding... (ASA5510, 9.1

maramamarama — Mon, 04 Feb 2013 19:10:32 GMT

Hello Jouni,

Thanx a lot for trying to help!!!

I don't have admin-access to ISP gateway, so I cannot route the 2 subnets the 1.1.1.2 on the ISP gateway level, but I was hoping to be able to do it on the ASA level.

Anyway, I tried to reduce the configuration to this, but it's still not working:


interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 61.99.232.108 255.255.255.248 
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address 172.16.1.35 255.255.255.0 
object network Webserver
 nat (LAN,WAN) static 80.223.213.187
 host 172.16.1.78
access-list OUTSIDE-IN remark Open services to DMZ and LAN servers
access-list OUTSIDE-IN remark LAN Servers
access-list OUTSIDE-IN permit tcp any object Webserver eq http
access-group OUTSIDE-IN in interface WAN
object-group network DEFAULT-PAT-SOURCE
description Source network for default PAT
network-object 172.16.1.0 255.255.255.0
nat (any,WAN) after-auto source dynamic DEFAULT-PAT-SOURCE interface


but it's not working ;(

So:
1 subnet: 62.99.232.104/29
2 subnet: 80.223.213.176/28
LAN: 172.16.1.0/24
"main" public IP of the ASA: 61.99.232.106
inside IP of the ASA: 172.16.1.35
Webserver im LAN: 172.16.1.78

and I am trying to redirect all traffic coming to 80.223.213.187 to go to 172.16.1.78.

The next step would be to configure a DMZ to use for  example 80.223.213.188 (without NAT), but I first want to configure  simple forwarding outside->inside. FOrwarding the public IP from the  first public subnet block worked without an problems (61.99.232.110  -> 172.16.1.78) but I can't get the IP from the second subnet to  work.

Re: Handling multiple subnets, NAT, port forwarding... (ASA5510,

Jouni Forss — Mon, 04 Feb 2013 19:58:02 GMT

Hi,

Do you have the command "arp permit-nonconnected" configured on the ASA?

If not could you try adding that and trying again.

I think the 9.1 Command Reference includes the command "arp non-connected-subnet" but even though I have that software level i cant find that command format myself. Only the first one I mention

EDIT:

Heres the explanation from 9.0(1) Release Notes for your reference when they added the command

ARP cache additions for non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.

You may want to use this feature if you use:

•Secondary subnets.

•Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected.

We modified the following screen: Configuration > Device Management > Advanced > ARP > ARP Static Table.

Also available in 8.4(5).

- Jouni

Re: Handling multiple subnets, NAT, port forwarding... (ASA5510,

Jouni Forss — Mon, 04 Feb 2013 20:08:53 GMT

Also,

I would like to suggest that if you are going to use some public IP addresses directly on the host behind the ASA and NOT as NAT IP addresses on the ASA then use the WHOLE subnet behind the ASA. You cant really use single IP public IP addresses behind the ASA (or any device for matter, unless host IP address on loopback interface etc)

For example

Subnet1 = "outside" interface connected network between the ASA and ISP
Subnet2 = Subnet directly configured on the ASA "dmz" interface and hosts behind it
Subnet3 = Subnet used on ASA for NAT configurations for servers

I would still suggest using only single IP subnet on the ISP router gateway interface towards your ASA and routing the rest towards your ASA (I think this is needed if you want to use the IP addresses behind the ASA)

- Jouni

Re: Handling multiple subnets, NAT, port forwarding... (ASA5510,

maramamarama — Tue, 05 Feb 2013 08:58:09 GMT

Jouni - it's working!!!!

Thanx a lot for your help

I will probably still have questions but this is a big milestone for me - thanx!

I restored to factory configuration and then did what you told me to do.

Handling multiple subnets, NAT, port forwarding... (ASA5510, 9.1

Jouni Forss — Tue, 05 Feb 2013 09:00:47 GMT

Hi,

Great that its working now

Please rate the answers and mark the question as answered so others can find the solution easier

Naturally it always helps the motivation to answer on these forums also

Dont hesitate to start new threads when you have questions. Theres usually someone here that can try to help.

- Jouni