topic Re: Traffic to different wan ip's in Network Security

Traffic to different wan ip's

m1kkel1984 — Mon, 11 Mar 2019 17:40:44 GMT

Hello guys.

I have asa5510 sec plus.

Im new to cisco.

WAN IP: 77.68.136.96 - 77.68.136.102

Is it possible to send traffic from internal host like: 192.168.10.31 out through another WAN ip than the one bound to interface "outside" ?

I tried it with this command:

nat (dmz) 2 192.168.10.31 255.255.255.255
global (outside) 2 77.68.136.97 netmask 255.255.255.255

nat (dmz) 3 192.168.10.40 255.255.255.255
nat (dmz) 3 192.168.10.41 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255

and so on

But it doesnt seem to work.. actually the hosts cannot acces the internet at all.. outside interface level 0, dmz interface level 90, so theres n o need to make accesslist from DMZ to outside, right?

Re: Traffic to different wan ip's

Jennifer Halim — Tue, 04 May 2010 09:59:59 GMT

Definitely can. What you have configured is correct.

Just have to make sure that proxy arp is enabled on the outside interface.

Just check: "sh run sysopt" output, if you don't see "sysopt noproxyarp outside" command, that means proxy arp is enabled.

Also perform "clear xlate" after you configure the NAT/Global pair statements.

If you have no access-list assigned to DMZ interface, traffic from DMZ to outside will be allow by default. If you have configured an access-list on DMZ interface, you would need to explicitly allow traffic from DMZ to outside.

Re: Traffic to different wan ip's

m1kkel1984 — Tue, 04 May 2010 10:06:45 GMT

Okay, so why should proxy arp be enabled ?

Thanks

Re: Traffic to different wan ip's

Jennifer Halim — Tue, 04 May 2010 10:11:14 GMT

Because those are virtual ip addresses that are not assigned to any interfaces, therefore it needs to have ARP resolution, and it would resolve to the ASA outside interface mac address when proxy arp is enabled so the router in front of the ASA can reach it.

Re: Traffic to different wan ip's

m1kkel1984 — Tue, 04 May 2010 10:34:59 GMT

ok i see.

Could you maybe have a look at my config file, and see if any other things are wrong ?

i have attached it.

Re: Traffic to different wan ip's

Jennifer Halim — Tue, 04 May 2010 10:41:54 GMT

OK, first of all, you can use overlapping public ip address for both static statement and global statement.

As per config for example: 77.68.136.97 has been used on static port address redirection statement, so you can't use 77.68.136.97 for your global statement.

---> so use a unique public ip address for your global statement.

Secondly, from the config, it seems that you have a lot of NAT statements. Traffic matches the NAT statement from top to bottom, not the longest ip address/subnet matches. If you do "sh run nat", you would see the list of NAT statement, and the order of how you configure it on the ASA would be the first match.

Re: Traffic to different wan ip's

m1kkel1984 — Tue, 04 May 2010 10:51:23 GMT

The reason why i have a lot of nat statements is because i have a lot of servers on the DMZ wich have different wan ip's applied to them, and therefore port 25 traffic to ip .98 is forwarded to the host that the .98 ip is attached to, the same with .99 ip and so on.

Maybe there is a better way to handle this?

We are a small hosting provider and we host terminalservers and exchangeservers, and each customer have it own virtual server, and wan ip. You get the point...

Re: Traffic to different wan ip's

Jennifer Halim — Tue, 04 May 2010 11:13:32 GMT

Yes, I understand what you are trying to achieve.

However, on ASA, public ip that has been assigned to static statement, can not be assigned to the global statement. They can't overlap.

And in regards to the NAT statements, as mentioned earlier, it works top to bottom. So if you have the following list for example ("sh run nat" order - order as you configured the nat statements):

nat (dmz) 100 192.168.10.0 255.255.255.0

nat (dmz) 2 192.168.10.31 255.255.255.255

nat (dmz) 3 192.168.10.40 255.255.255.255

If traffic is sourced from 192.168.10.31 for example, it will match the first nat statement instead of the second nat statement because nat is matched from top to bottom, ie: it will match line 1 first - "nat (dmz) 100 192.168.10.0 255.255.255.0".

If you would like traffic to match the second nat statement for traffic sourcing from 192.168.10.31, then you would need to remove the first line and reapply the first line, because when you remove the nat and reapply the line, it will be added to the bottom of the NAT list.

For example: if you remove "nat (dmz) 100 192.168.10.0 255.255.255.0", and reapply the same statement, the order from the above list will be as follows:

nat (dmz) 2 192.168.10.31 255.255.255.255

nat (dmz) 3 192.168.10.40 255.255.255.255

nat (dmz) 100 192.168.10.0 255.255.255.0

Then traffic sourcing from 192.168.10.31 will now match the first line "nat (dmz) 2 192.168.10.31 255.255.255.255"

Re: Traffic to different wan ip's

m1kkel1984 — Tue, 04 May 2010 12:13:50 GMT

Ok i see.

May i return when i have fixed my conf? So you can read it before i apply, and take down out old router?

Re: Traffic to different wan ip's

Jennifer Halim — Tue, 04 May 2010 12:20:52 GMT

Sure..

Re: Traffic to different wan ip's

m1kkel1984 — Tue, 04 May 2010 14:09:55 GMT

Okay thanks.

I fixed up my conf, can you verify that everything is correct, or do you need more info from me ?

Re: Traffic to different wan ip's

m1kkel1984 — Fri, 07 May 2010 07:42:50 GMT

Hey - did you have the time to verify my conf is correct ?

Regards Mikkel

Re: Traffic to different wan ip's

Jennifer Halim — Fri, 07 May 2010 09:16:47 GMT

To start with, you don't need these 2 route statements:

route inside 192.168.0.0 255.255.255.0 192.168.0.1
route dmz 192.168.10.0 255.255.255.0 192.168.10.1

For the NAT statements, please send the output of the following:

sh run nat

sh run static

sh run global

As mentioned, the order needs to be as how you enter the NAT line into the configuration, therefore the output of the above will show.

And please also confirm that you are trying to achieve the following as per your original post:

nat (dmz) 2 192.168.10.31 255.255.255.255
global (outside) 2 77.68.136.97 netmask 255.255.255.255

nat (dmz) 3 192.168.10.40 255.255.255.255
nat (dmz) 3 192.168.10.41 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255

Re: Traffic to different wan ip's

m1kkel1984 — Mon, 17 May 2010 12:00:07 GMT

Allright im back.

Im trying to apply my config, but it fails different places.

First:

(trying to send everything else that does not match rules out through wan interface)

nat (dmz) 100 192.168.10.0 255.255.255.0
global (outside) 100 interface
ERROR: global for this range already exists

Second:

ciscoasa(config)# static (dmz,outside) tcp 77.68.136.32 25 192.168.10.34 25 ne$
ciscoasa(config)# static (dmz,outside) tcp 77.68.136.33 25 192.168.10.34 25 ne$
ERROR: duplicate of existing static
TCP DMZ:192.168.10.34/25 to outside:77.68.136.32/25 netmask 255.255.255.255

Why am i reciving that error ? It occours after first static rule is applied. Im trying to send traffic from different wan ip's (port 25) into out spamgateway..

Best regards Mikkel

Re: Traffic to different wan ip's

Jennifer Halim — Mon, 17 May 2010 12:21:10 GMT

Yes, you already have "global (outside) 1 interface", so you can't configure two global statements to use the same ip address (interface). Hence you are getting the error when applying "global (outside) 100 interface"

For the static statements, you can't configure static port address redirection for the same port (TCP/25) and same internal/private ip address.

Re: Traffic to different wan ip's

m1kkel1984 — Mon, 17 May 2010 12:28:29 GMT

Ok i understand the global rule now.

Regarding the port 25 to the same ip address - how do we fix it then?

We have like 12 wan ip's where email (port 25) is comming to. All mail should be sent to internal ip 192.168.10.34 regardless of originating wan ip.

What to do ?

Re: Traffic to different wan ip's

m1kkel1984 — Mon, 17 May 2010 13:38:45 GMT

Hello once again.

I think i know how to send all smtp traffic to one internal ip.

static (dmz,outside) tcp interface 25 192.168.10.34 25 netmask 255.255.255.255

So i fixed my conf a little, fixed the rules that were failing, and the global rules. Please check again.

I also ran the commands just suggested, and here's the output.

ciscoasa(config)# sh run nat
nat (inside) 0 access-list NCT-DMZ
nat (inside) 1 192.168.0.0 255.255.255.0
nat (DMZ) 2 192.168.10.31 255.255.255.255
nat (DMZ) 4 192.168.10.34 255.255.255.255
nat (DMZ) 3 192.168.10.40 255.255.255.255
nat (DMZ) 3 192.168.10.41 255.255.255.255
nat (DMZ) 5 192.168.10.42 255.255.255.255
nat (DMZ) 6 192.168.10.43 255.255.255.255
nat (DMZ) 7 192.168.10.45 255.255.255.255
nat (DMZ) 8 192.168.10.46 255.255.255.255
nat (DMZ) 8 192.168.10.47 255.255.255.255
nat (DMZ) 8 192.168.10.50 255.255.255.255
nat (DMZ) 8 192.168.10.51 255.255.255.255
nat (DMZ) 8 192.168.10.52 255.255.255.255
nat (DMZ) 8 192.168.10.53 255.255.255.255
nat (DMZ) 8 192.168.10.54 255.255.255.255
nat (DMZ) 1 192.168.10.0 255.255.255.0

ciscoasa(config)# sh run static
static (inside,outside) tcp interface www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.0.2 1433 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.0.5 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.97 www 192.168.10.31 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.97 https 192.168.10.31 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.97 3389 192.168.10.31 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.98 www 192.168.10.40 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.98 https 192.168.10.40 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.98 3389 192.168.10.41 3389 netmask 255.255.255.255
static (DMZ,outside) tcp interface smtp 192.168.10.34 smtp netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.100 3389 192.168.10.42 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.101 www 192.168.10.43 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.101 https 192.168.10.43 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.101 3389 192.168.10.43 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.32 www 192.168.10.45 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.32 https 192.168.10.45 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.32 3389 192.168.10.45 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 www 192.168.10.47 www netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 https 192.168.10.47 https netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 3389 192.168.10.50 3389 netmask 255.255.255.255
static (DMZ,outside) tcp 77.68.136.33 8093 192.168.10.51 8093 netmask 255.255.255.255

Hmm should the first 4 static come ind the end ??

ciscoasa(config)# sh run global
global (outside) 2 77.68.136.97 netmask 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255
global (outside) 4 77.68.136.99 netmask 255.255.255.255
global (outside) 5 77.68.136.100 netmask 255.255.255.255
global (outside) 6 77.68.136.101 netmask 255.255.255.255
global (outside) 7 77.68.136.32 netmask 255.255.255.255
global (outside) 8 77.68.136.33 netmask 255.255.255.255
global (outside) 1 interface

How does this look?

Ive attached my new and refined config.

Re: Traffic to different wan ip's

Jennifer Halim — Mon, 17 May 2010 13:42:55 GMT

The NAT statements definitely look perfect, where the more specific ones are at the top, with the most general one right at the bottom.

With the static translation, the first 4 lines do not need to be moved anywhere. It's been correctly configured.

Re: Traffic to different wan ip's

m1kkel1984 — Mon, 17 May 2010 13:46:40 GMT

That is just amazing!

Thank you very much.

Now lets say that my spamgateway (192.168.10.34) needs to be able to communicate with 192.168.0.2 (on inside) interface, ive just created this rule:

!######################ACCESS TIL NCT FRA PROOFPOINT################
access-list DMZ-NCT extended permit ip 192.168.10.34 255.255.255.255 192.168.0.2 255.255.255.255
access-group DMZ-NCT in interface inside

Is this also correctly configured?

Re: Traffic to different wan ip's

Jennifer Halim — Tue, 18 May 2010 09:50:58 GMT

No, since the traffic originates from DMZ, you would need to add the ACL on your current DMZ access-list which is called DMZ-PING as follows:

access-list DMZ-PING extended permit ip host 192.168.10.34 host 192.168.0.2

Plus you also need to have the following static statement:

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0