topic ASA 5515 sub-interface question in Network Security

ASA 5515 sub-interface question

andbartsimpson — Tue, 12 Mar 2019 00:33:50 GMT

Hi,

I am working on translating configuration from a firewall named Joebox to ASA 5515.

On Joebox, it has 5 continuous public IP addresses (xx.xx.xx.73 -77/29), first one as interface IP and others as alias, on the Internet-facing interface.

I need to configure ASA 5515 in the same way, however it seems not simple.

- The way to configure subinterfaces on 5515 is by configuring VLAN.

- The interface can hold xx.xx.xx.73/29 without a problem.

- The first subinterface can have IP address xx.xx.xx.74 however with different mask(/16), as it doesn’t allow /29.

- The second subinterface doesn’t allow to enter IP xx.xx.xx.75, saying "Failed to apply IP address to interface GigabitEthernet0.x, as the network overlaps with interface GigabitEthernet0. Two interfaces cannot be in the same subnet."

I believe that there should be a workaround for this.

Can someone please help?

Thank you in advance.

Young

ASA 5515 sub-interface question

Eugene Korneychuk — Thu, 06 Dec 2012 16:51:15 GMT

Hello Young,

You can configure Ip addresses on interfaces, only if they are from different subnet. ASA will not allow you to put this commands.

From subnet 192.168.0.73/29

HostMin: 192.168.0.73

HostMax:   192.168.0.78

So, can you please describe what is the purpose of this configuration? What you want to achieve?

Please rate helpful posts

Best Regards,

Eugene

Re: ASA 5515 sub-interface question

Jouni Forss — Thu, 06 Dec 2012 17:34:30 GMT

Hi,

As you are using ASA5515 you are probably running software version 8.6 (confirmable with command "show version")

If I understood you correctly you have a /29 network from the ISP and want to use 1 IP for the "outside" interface and the rest of them as Static NAT IP address for different LAN hosts?

Assuming that the following apply

You have one LAN interface called "inside"
You have WAN interface called "outside"
Your LAN network is 10.10.10.0/24
You want Static Public NAT for the following 4 LAN IPs
- 10.10.10.10
- 10.10.10.11
- 10.10.10.12
- 10.10.10.13

Your configurations could look something like this

Default PAT for traffic heading to Internet

object-group network PAT-SOURCE

description PAT Source Networks

network-object 10.10.10.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

The above configuration should make a default PAT rule for outgoing traffic. In other words any client on the LAN that doesnt have own NAT IP configured with Static NAT commands will use the "outside" interface public IP. If you would happen to configure another LAN network behind the ASA you could just add that LAN network under the configured object-group PAT-SOURCE and it would also start using "outside" interface for PAT translation.

Static NAT for servers

object network STATIC-1

host 10.10.10.10

nat (inside,outside) static x.x.x.74

object network STATIC-2

host 10.10.10.11

nat (inside,outside) static x.x.x.75

object network STATIC-3

host 10.10.10.12

nat (inside,outside) static x.x.x.76

object network STATIC-4

host 10.10.10.13

nat (inside,outside) static x.x.x.77

The above configures Static NAT for 4 LAN hosts/clients
Each Static NAT configuration includes
- object network ,under which all the configurations follow
- host x.x.x.x , which defines the local source address for the Static NAT
- nat (inside,outside) static x.x.x.x , which defines the source and destination interface for the Static NAT and the actual NAT IP address

Access-list rules from Internet

access-list OUTSIDE-IN permit ip any object STATIC-1

access-list OUTSIDE-IN permit tcp any object STATIC-1 eq

access-list OUTSIDE-IN permit udp any object STATIC-1 eq

access-list OUTSIDE-IN permit ip any host 10.10.10.10

access-list OUTSIDE-IN permit tcp any host 10.10.10.10 eq

access-list OUTSIDE-IN permit udp any host 10.10.10.10 eq

finally

access-group OUTSIDE-IN in interface outside

Above are examples of configuring TCP/UDP, TCP or UDP rules to allow traffic with an ACL named OUTSIDE-IN
access-group OUTSIDE-IN in interface outside, attaches the ACL to the outside interface. It handles the traffic heading "in" towards the interface.

Hope the above was of some help. Please rate helpfull posts

- Jouni

ASA 5515 sub-interface question

andbartsimpson — Thu, 06 Dec 2012 17:34:46 GMT

Hi Eugene,

Thanks a lot for your reply.

My goal here is simple.

I need to configure 5515 exactly the same way as Joebox (less known firewall), for my customer.

Somehow, Joebox has 5 continuous public IP addresses on the physical interface, and I need to configure 5515 the same way.

Those IPs are routed to inside resources through NATing.

Let me know if further information is needed.

Would there be any workaround for this?

Any suggestions would be much appreciated.

Young

Re: ASA 5515 sub-interface question

Jouni Forss — Thu, 06 Dec 2012 17:39:53 GMT

And just to clarify a bit,

You dont configure the addiotional public IP addresses to any interface. You only give the interface its IP address. Rest of the IP addresses only need the NAT commands, nothing else.

- Jouni

Re: ASA 5515 sub-interface question

Eugene Korneychuk — Thu, 06 Dec 2012 17:41:29 GMT

Hi Young,

Thank you for clarification,

Your ISP will route traffic to your ASA. You do not need to assign the new IP to any interface. You can create statics using the address space and it will work because of the ISP sending the route down to you. Also you need to allow this connections using access-lists

Please rate helpfull posts

ASA 5515 sub-interface question

andbartsimpson — Thu, 06 Dec 2012 18:56:10 GMT

Thank you very much Jouni and Eugene.

You guys helped me out, I much*100 appreciate it.

Young