Think ive got this all

nick.szilagyi · ‎07-02-2016

Hi all,

I have a pretty basic configuration on a network that allows for PAT to a single WAN IP for all our vlans.

We have a public subnet range of xxx.xxx.xxx.216/248

We have 4 internal vlans which all use the same WAN IP of .218 for their PAT translation. I have a requirement to provide a public facing IP address for a single client on the LAN. We have an existing VLAN that is hardly used (vlan4) but already configured. I'm hoping to create a 1to1 NAT to an inside IP address to one of our free public IP's, lets say xxx.xxx.xxx.220 for example.

This will be for a piece of AV equipment that needs to talk upstream to a cloud provider. I also have a requirement to ensure that the following ports are open/forwarded to this single AV client - TCP 1720, TCP 3230-3241, UDP 3230 -3291.

I will use vlan 4 with a static ip address of 192.168.4.2 for the AV equipment.

The switch has an management IP address of 192.168.2.1 on vlan 2. 192.168.2.2 is the gateway for the ASA.

xxx.xxx.xxx.217 will be the inside interface IP of the router that you see for the default routing rule of 0.0.0.0 0.0.0.0

I've attached the FW config and attempted to remove any non relevant information. (FW1-config).

Questions

Would the below rule be sufficient in what I am hoping to achieve, if I place the rule above the dynamic rule?

name 192.168.4.2 AVS
name xxx.xxx.xxx.220 outside-network2
asdm location xxx.xxx.xxx.220 255.255.255.255 inside
asdm location 192.168.4.2 255.255.255.255 inside
static (inside,outside) xxx.xxx.xxx.220 192.168.4.2 netmask 255.255.255.255 tcp 0 0 udp 0

How do I know the new rule will take precedence over the existing dynamic rule?

Do I need to configure a VLAN interface on the ASA with the ip address of xxx.xxx.xxx.220? As it stands, VLAN 2 on the ASA has the public IP address of .218, so I expect I need to configure an additional VLAN as it will have no idea how to talk to that interface internally or from an external source.

Any thoughts or help would be greatly appreciated.

Thanks,
Nick.

David99 · ‎07-02-2016

A static rule will always beat a dynamic rule, so you are OK on that front.

The rest of the scenario is a little confusing. Do you have all 4 VLANs behind the ASA and if so are you using subinterfaces for this such that each is segmented off?As you have a 5505 this will be VLAN interfaces. The interface reference in your NAT statement needs to be whatever 192.168.4.X is behind (which may of course well be inside in this case).

I'm also assuming you have 8.2 or earlier code based on your Syntax.

You don't need to specify the TCP/UDP connection properties on the static unless you actually want a limit. It is not limited by default.

You'll also need an ACL for this to allow the TCP and UDP ports in to host 192.168.4.2. I'd suggest using object groups to keep your config clean, for example:

object-group service AV
     service-object udp destination range 3230 3291
     service-object tcp destination eq 1720
     service-object tcp destination range 3230 3241

access-list OUTSIDE_IN permit object-group AV any host 192.168.4.2

nick.szilagyi · ‎07-02-2016

Sorry, to clarify - i've got 4 vlans on the switch. vlans 1-4, all use the gateway of 192.168.2.2.

It's a little confusing to me as its a new environment, and at the moment i've only got access to the ASA. Also 8.2(5) for the version.

ASA are a new bag to me, got limited knowledge so doing my best :)

SW config

ip routing

!
interface GigabitEthernet0/2
description *** Link to ASA Firewall ***
switchport access vlan 2
switchport mode access
switchport nonegotiate
!
interface Vlan1
description *** Admin Shut ***
no ip address
shutdown
!
interface Vlan2
description *** Network Management VLAN ***
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan3
description *** Wireless AP VLAN ***
ip address 192.168.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan4
description *** Wired Devices VLAN ***
ip address 192.168.4.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip default-gateway 192.168.2.2
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.2

David99 · ‎07-02-2016

Well there's plenty of people around to help you make sense of them :)

The 5505 is different to the rest of the ASA family in that it also has a built in switch. Typically in my experience you would configure SVIs on the firewall rather than on the switch.

So is the firewall in this case only used for connectivity from the VLANs behind your switch to the internet?

Please can you also provide the output of the following from your firewall:

show run interface
show ip
show nameif
show run static
show run route

Naturally removing anything sensitive if you need to :)

nick.szilagyi · ‎07-02-2016

Great, thank you. I'll be back home shortly to provide this info.

nick.szilagyi · ‎07-02-2016

Hi David, The answer to your question is yes, just internet access for the vlans on the inside interface.

sh ip

System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan2 outside xxx.xxx.xxx.218 255.255.255.248 CONFIG
Vlan3 inside 192.168.2.2 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan2 outside xxx.xxx.xxx.218 255.255.255.248 CONFIG
Vlan3 inside 192.168.2.2 255.255.255.0 CONFIG
Market-Gravity-FW1# sh nameif
Interface Name Security
Vlan2 outside 0
Vlan3 inside 100
Market-Gravity-FW1# sh run static
Market-Gravity-FW1# sh run route
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 1
route inside 192.168.3.0 255.255.255.0 192.168.2.1 1
route inside 192.168.4.0 255.255.255.0 192.168.2.1 1

sh run interface
!
interface Ethernet0/0
description *** Link to Internet Router ***
switchport access vlan 2
!
interface Ethernet0/1
description *** Link to 2960 Switch ***
switchport access vlan 3
!
interface Ethernet0/2
description *** Unused and Shut Interface ***
shutdown
!
interface Ethernet0/3
description *** Unused and Shut Interface ***
shutdown
!
interface Ethernet0/4
description *** Unused and Shut Interface ***
shutdown
!
interface Ethernet0/5
description *** Unused and Shut Interface ***
shutdown
!
interface Ethernet0/6
description *** Unused and Shut Interface ***
shutdown
!
interface Ethernet0/7
description *** Unused and Shut Interface ***
shutdown
!
interface Vlan1
shutdown
no nameif
security-level 100
no ip address
!
interface Vlan2
description *** Outside VLAN ***
nameif outside
security-level 0
ip address xxx.xxx.xxx.218 255.255.255.248
!
interface Vlan3
description *** Inside VLAN ***
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
Market-Gravity-FW1#

sh run route
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 1
route inside 192.168.3.0 255.255.255.0 192.168.2.1 1
route inside 192.168.4.0 255.255.255.0 192.168.2.1 1

sh nameif
Interface Name Security
Vlan2 outside 0
Vlan3 inside 100

nick.szilagyi · ‎07-03-2016

Think ive got this all configured but hitting an issue with the NAT/ACL

I could be using packet tracer incorrectly but....

ASDM is nt able to select the entry for the following configuration - static (inside,outside) OutsideAV AV netmask 255.255.255.255

match ip inside host AV outside any

static translation to outsideAV

translate hits = 2, untranslate_hits = 67

Outside AV is the IP I want to NAT to = xxx.xxx.xxx.220

AV = 192.168.4.2

ASA 5505 - How to configure additional public facing WAN IP - Static 1 to 1 nat