topic Adding a second global address for another IP range on ASA in Network Security

Adding a second global address for another IP range on ASA

bhogue — Mon, 11 Mar 2019 21:53:41 GMT

Hi all, I'm trying to add a second global address to my ASA 5510 (version 8.0(2)) for clients on a specific subnet. Since it's production I'd rather not experiment. I'd like anyone with a 10.255.255.x address to get the 172.16.0.1 (sanitized, obviously) public address. Will adding this work?

access-list guestVlanPolNat line 1 extended permit tcp 10.255.255.0 any

nat (inside) 2 access-list guestVlanPolNat

global (outside) 2 172.16.0.2

I already have the following in my config:

global (OUTSIDE) 1 172.16.0.1

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

Thanks,

Bill

Adding a second global address for another IP range on ASA

Julio Carvajal — Tue, 22 Nov 2011 00:00:47 GMT

Hello Bhogue,

You can do the following

nat (inside) 1 0 0

nat (inside) 2 10.255.255.0

global (outside) 1 interface

global (outside) 2 172.16.0.1

The Nat order or priority is:

Nat 0 with ACL (Nat exemption)

Static

Policy nat

Dynamic nat.

In this case we will be using Dynamic Nat for both of them, but the one more specific is going to take place first, so if a packet comes from 10.255.255.x it will be match to global (outside) 2.

Hope this helps,

Please rate helfpul posts.

Julio

Adding a second global address for another IP range on ASA

bhogue — Tue, 22 Nov 2011 20:26:39 GMT

Hi Julio

This is what I have now:

global (OUTSIDE) 1 172.16.0.1

global (OUTSIDE) 2 172.16.0.2

nat (inside) 0 access-list nonat

nat (inside) 2 10.255.255.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

I"m still getting all traffic from the 10.255.255.0 network translated to 172.16.0.1. Do I need to swap the nat (inside) 1 and nat (inside) 2 statements?

Adding a second global address for another IP range on ASA

Julio Carvajal — Wed, 23 Nov 2011 00:37:08 GMT

Hello,

Did you clear the xlate and local host tables??

I did a lab recreation and I got it working as expected, taking the global (outside) 2 ip add.

If you do a packet tracer like this what do you get (Please provide the output)

packet-tracer input inside tcp 10.255.255.15 1025 4.2.2.2 80

Regards,

Julio

Adding a second global address for another IP range on ASA

bhogue — Wed, 23 Nov 2011 15:14:34 GMT

Hi Julio,

I did clear xlate and clear local and even rebooted the firewall last night. Looking at the packet-tracer output (excellent tool BTW, will keep that one) it looks like the address should be translated correctly however when I go to a "what is my IP" site (I've tried a couple) they still return the nat (inside) 1 global address.

# packet-tracer input inside tcp 10.255.255.15 1025 4.2.2.2 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 2 10.255.255.0 255.255.255.0
nat-control
match ip inside 10.255.255.0 255.255.255.0 OUTSIDE any
dynamic translation to pool 2 (172.16.0.2)
translate_hits = 860, untranslate_hits = 2
Additional Information:
Dynamic translate 10.255.255.15/1025 to 172.16.0.2/1038 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 2 10.255.255.0 255.255.255.0
nat-control
match ip inside 10.255.255.0 255.255.255.0 OUTSIDE any
dynamic translation to pool 2 (172.16.0.2)
translate_hits = 860, untranslate_hits = 2
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 262028, packet dispatched to next module

Phase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.0.254 using egress ifc OUTSIDE
adjacency Active
next-hop mac address 000f.8f42.a7c0 hits 139739

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

Adding a second global address for another IP range on ASA

bhogue — Wed, 23 Nov 2011 15:40:31 GMT

I figured out the problem. Your initial configuration was corrrect. Our web filter (Barracuda, inline between LAN and ASA) was was making it appear that all outgoing traffic was coming from the filter. What is strange is that when I looked at the logs in the ASDM log viewer, they show the translation occuring correctly even though outside sites reported the public IP as 172.16.0.1.

Nov 23 2011

10:29:58

305011

10.255.255.10

50582

172.16.0.2

1024

Built dynamic TCP translation from inside:10.255.255.10/50582 to OUTSIDE:172.16.0.2/1024

Thanks again for your help.

Adding a second global address for another IP range on ASA

Julio Carvajal — Wed, 23 Nov 2011 17:37:32 GMT

Hello,

Great to hear that know everything is working.

Hope you have a great day,

Julio