topic Re: Using two External Subnets, One incoming one Outgoing? in Network Security

Using two External Subnets, One incoming one Outgoing?

stownsend — Mon, 11 Mar 2019 19:36:45 GMT

I have two Publick Subents and I wanted to use one for incoming traffic to Publick Facing Servers (DNS, Web, Mail, etc) then use the other for Outbopund traffic from other devices within the network.

1.1.1.0/28 is the Incoming

2.2.2.0/28 is the Outgoing

This is a partial Config, though I have a few Questions,

Do I need: nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface

For the Servers that are on the 1.1.1.0/28 network and Need to get to the net, the Default route is the 2.2.2.0/28 Subnet, though the Edge Router has Multiple Subinterfaces defined, so it handles both subnets. Is it going to slow things down be having the 2.2.2.0/28/ default route with the lower metric? Is there a way to define a default route based on the Source Address?

When I do a show xlate some of the internal devices will sometimes have both a 1.1.1.0/28 and a 2.2.2.0/28 address, though when querying whatismyip.com its always a 2.2.2.0/28 address unless its a NATed Network Object.

Thanks!

interface Ethernet0/0
 nameif outside-1
 security-level 0
 ip address 1.1.1.2 255.255.255.240
!
interface Ethernet0/1
 nameif outside-2
 security-level 0
 ip address 2.2.2.2 255.255.255.240
!
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 10.1.0.1 255.255.0.0
!
nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface
nat (hbg-inside,hbg-outside-2) source dynamic any 2.2.2-NAT-POOL interface
object network server1_i
 nat (inside,outside-1 static server1_o
object network server2_i
 nat (inside,outside-1 static server2_o
object network server3_i
 nat (inside,outside-1 static server3_o
route hbg-outside-2 0.0.0.0 0.0.0.0 2.2.2.1 1
route hbg-outside-1 0.0.0.0 0.0.0.0 1.1.1.1 10

Re: Using two External Subnets, One incoming one Outgoing?

Panos Kampanakis — Tue, 18 Jan 2011 16:20:29 GMT

With

nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface
nat (hbg-inside,hbg-outside-2) source dynamic any 2.2.2-NAT-POOL interface

Any host behind the inside will be translated to 111 pool (fallback the outside1 interface ip) when going out the outside1 interface.

And when going out the outside2, they will look like 222 pool (fallback the outside2 interface ip).

So, it all depends on routing. If routing says you will go out outside1 you will look like 1111, if routing says outside2 is the interface you will go out one than you will look like the other pool.

I hope it explains it.

Re: Using two External Subnets, One incoming one Outgoing?

stownsend — Tue, 18 Jan 2011 17:56:35 GMT

Sort of....

So since I have :

route hbg-outside-2 0.0.0.0 0.0.0.0 2.2.2.1 1

route hbg-outside-1 0.0.0.0 0.0.0.0 1.1.1.1 10

They will get the 2.2.2.0/28 address from nat (hbg-inside,hbg-outside-2) source dynamic any 2.2.2-NAT-POOL interface since that is the lower Metric Default Route.

If 2.2.2.1 is not accessible then they will get the 1.1.1.0/28 from nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface

Since 2.2.2.1 and 1.1.1.1 are the Same Physical Interface, if one goes down so will the other, so having the second route statement in there is kind of pointless.

I just want to be sure that I can have my Incoming servers with Static NAT mapping to the 1.1.1.0/28 subnet and have all of the outgoing devices use the 2.2.2.0/28 subnet for everthing else.

The other thing that is confusing me is I have a Server with a Static Mapping:

object network 10.1.0.5
  nat (inside,outside-1) static 1.1.1.5

When I do a Show xlate I see the Following:

NAT from inside:10.1.0.5 to outside-1:1.1.1.5

flags s idle 0:00:03 timeout 0:00:00

NAT from hbg-inside:10.1.0.5 to outside-1:1.1.1.8 flags i idle 1:55:14 timeout 3:00:00
NAT from hbg-inside:10.1.0.5 to outside-2:2.2.2.7 flags i idle 1:55:14 timeout 3:00:00

So the First one is from the static Mapping, why are there 2 more? Why isn't it using the static mapping external IP? Why is it grabbing an IP from each pool?

Thanks,

Re: Using two External Subnets, One incoming one Outgoing?

Panos Kampanakis — Tue, 18 Jan 2011 19:01:47 GMT

The other two are probably old ones before the static. See that they are idle for 2 hours. They will timeout in 1h, or you can clear them.

Please mark this as answered if it is, for other users' future benefit.

Rgs,

Re: Using two External Subnets, One incoming one Outgoing?

stownsend — Tue, 18 Jan 2011 22:19:45 GMT

I'm not sure that is it. I've cleared the xlate many times and have rebooted, the static NAT has been there from the get go.

Here are two other enties in the xlate table, they are not Static. why would they each have an address from both Subnets?

NAT from inside:10.1.0.8 to hbg-outside-1:1.1.1.194 flags i idle 0:27:51 timeout 3:00:00
NAT from inside:10.1.0.8 to hbg-outside-2:2.2.2.205 flags i idle 0:23:17 timeout 3:00:00

NAT from inside:10.1.0.6 to hbg-outside-1:1.1.1.191 flags i idle 0:27:52 timeout 3:00:00
NAT from inside:10.1.0.6 to hbg-outside-2:2.2.2.114 flags i idle 0:02:43 timeout 3:00:00

Do I need the following lines if the only machines with the 1.1.1.0/28 address are Static NAT?

nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface
route hbg-outside-1 0.0.0.0 0.0.0.0 1.1.1.1 10