Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3946
Views
5
Helpful
8
Replies

Handling multiple subnets, NAT, port forwarding... (ASA5510, 9.1)

Go to solution
maramamarama
Level 1
Level 1

‎02-04-2013 05:12 AM - edited ‎03-11-2019 05:55 PM

Hello there!

Am a novice myself, am making slow progress but there is an issue I've already lost a lot of time with and was thinkging maybe I can find some help here.

Our ISP assigned us 3 subnets, each with it's own gateway.

The idea now is to have the 5510 handle all the IPs and manage the NAT and basic routing for all the IPs in the 3 subnets. Some of them would en in DMZ, some in intranet. The goal is to achieve that in one interface and not using the separate ethernet ports for separate subnets. I've tried creating subinterfaces (Ethernet 0/0.1, 0/0.2) for each subnet but that did't work.

I know ASA is not a router, but I found several topics claiming it is possible, but those topics were either for 5505 or for pre 8.3 ASA. As I understood, I should NAT the subnets 2 and 3 into subnet 1 and then handle it from there. Anyone can direct me in right direction on how to achieve that?

tia

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to maramamarama

‎02-04-2013 11:58 AM

Hi,

Do you have the command "arp permit-nonconnected" configured on the ASA?

If not could you try adding that and trying again.

I think the 9.1 Command Reference includes the command "arp non-connected-subnet" but even though I have that software level i cant find that command format myself. Only the first one I mention

EDIT:

Heres the explanation from 9.0(1) Release Notes for your reference when they added the command

ARP cache additions for non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets  by default. You can now enable the ARP cache to also include  non-directly-connected subnets. We do not recommend enabling this  feature unless you know the security risks. This feature could  facilitate denial of service (DoS) attack against the ASA; a user on any  interface could send out many ARP replies and overload the ASA ARP  table with false entries.

You may want to use this feature if you use:

Secondary subnets.

Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected.

We modified the following screen: Configuration > Device Management > Advanced > ARP > ARP Static Table.

Also available in 8.4(5).

- Jouni

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-04-2013 05:31 AM

Hi,

So you are saying that you have 3 public subnets allocated from the ISP and want to use them on the ASA?

Can you clarify are you going to use them on the ASA "outside" interface or are you going to use some of the ranges behind the ASA as either directly connected networks on the ASA itself or route them towards the LAN?

A simple picture of your needs might also clarify the setup you are going for.

- Jouni

0 Helpful

Go to solution
maramamarama
Level 1
Level 1
In response to Jouni Forss

‎02-04-2013 06:06 AM

Yes, 3 public subnets allocated from the ISP and we want ASA to handle all of them. Most ot the IPs would end up on used for port forwarding... but some of them would stay on the outside but behind firewall (DMZ if I understand correctly) so ASA would be able to do ACL on those public IPs.

We asked the ISP to give us more IPs so that's how we ended up with multiple subnets in the first place (I'd be happy with single bigger subnet). So now we have enough IPs to assign to all the servers we want to have exposed and redirected to intranet, but I need to configure ASA to be able to handle them.

I don't want the exposed mailserver (in different subnet) talking directly to the oustide becasue then I cannot control the traffic.

ISP --> ASA --> Intranet router --> intranet clients

                   --> public mailserver

                   --> public webserver

                   --> public webserver2

quite usual setup - but in my case with multiple subnets.

Did I explain it well?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to maramamarama

‎02-04-2013 06:31 AM

Hi,

So I am assuming that all of the public IP addresses are to be used on the ASA itself as NAT IP addresses

I can only give you some configuration examples but nothing really specific since I dont have the exact information of the setup you have.

ISP gateway

  • First subnet as the connected network between ISP and ASA
  • Second and Third subnet routed towards ASA "outside" interface IP address

interface

description Customer Gateway

ip address 1.1.1.1 255.255.255.248

ip route 2.2.2.0 255.255.255.248 1.1.1.2

ip route 3.3.3.0 255.255.255.248 1.1.1.2

ASA

Interfaces & Default Route

interface

description Firewall Outside

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.248

route outside 0.0.0.0 0.0.0.0 1.1.1.1

interface

description LAN

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

interface

description DMZ

nameif dmz

security-level 50

ip add 192.168.10.1 255.255.255.0

Static NATs

object network DMZ-SERVER-1

host 192.168.10.10

nat (dmz,outside) static 2.2.2.1 dns

object network DMZ-SERVER-2

host 192.168.10.20

nat (dmz,outside) static 2.2.2.2 dns

object network LAN-SERVER-1

host 10.10.10.10

nat (inside,outside) static 3.3.3.1 dns

object network LAN-SERVER-2

host 10.10.10.20

nat (inside,outside) static 3.3.3.2 dns

OUTSIDE ACL

access-list OUTSIDE-IN remark Open services to DMZ and LAN servers

access-list OUTSIDE-IN remark DMZ Servers

access-list OUTSIDE-IN permit tcp any object DMZ-SERVER-1 eq

access-list OUTSIDE-IN permit tcp any object DMZ-SERVER-2 eq

access-list OUTSIDE-IN remark LAN Servers

access-list OUTSIDE-IN permit tcp any object LAN-SERVER-1 eq

access-list OUTSIDE-IN permit tcp any object LAN-SERVER-2 eq

access-group OUTSIDE-IN in interface outside

Default PAT rules

  • Using "outside" interface IP as PAT IP address

object-group network DEFAULT-PAT-SOURCE

description Source network for default PAT

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Those are just some examples.

Configurations naturally change if you decide to use the public subnets directly on the DMZ interface or further in your network. Then you naturally need to make sure through configurations that when those public addressed host traverse the ASA, their connections wont for example fall to the default PAT rule or something else along those lines (in the above example we did specify clearly the source networks for PAT)

- Jouni

Go to solution
maramamarama
Level 1
Level 1
In response to Jouni Forss

‎02-04-2013 11:10 AM

Hello Jouni,

Thanx a lot for trying to help!!!

I don't have  admin-access to ISP gateway, so I cannot route the 2 subnets the 1.1.1.2  on the ISP gateway level, but I was hoping to be able to do it on the  ASA level.

Anyway, I tried to reduce the configuration to this, but it's still not working:

interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 61.99.232.108 255.255.255.248 
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address 172.16.1.35 255.255.255.0 
object network Webserver
 nat (LAN,WAN) static 80.223.213.187
 host 172.16.1.78
access-list OUTSIDE-IN remark Open services to DMZ and LAN servers
access-list OUTSIDE-IN remark LAN Servers
access-list OUTSIDE-IN permit tcp any object Webserver eq http
access-group OUTSIDE-IN in interface WAN
object-group network DEFAULT-PAT-SOURCE
description Source network for default PAT
network-object 172.16.1.0 255.255.255.0
nat (any,WAN) after-auto source dynamic DEFAULT-PAT-SOURCE interface




but it's not working ;(




So:


1 subnet: 62.99.232.104/29


2 subnet: 80.223.213.176/28


LAN: 172.16.1.0/24


"main" public IP of the ASA: 61.99.232.106


inside IP of the ASA: 172.16.1.35


Webserver im LAN: 172.16.1.78




and I am trying to redirect all traffic coming to 80.223.213.187 to go to 172.16.1.78.




The next step would be to configure a DMZ to use for  example 80.223.213.188 (without NAT), but I first want to configure  simple forwarding outside->inside. FOrwarding the public IP from the  first public subnet block worked without an problems (61.99.232.110  -> 172.16.1.78) but I can't get the IP from the second subnet to  work.
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to maramamarama

‎02-04-2013 11:58 AM

Hi,

Do you have the command "arp permit-nonconnected" configured on the ASA?

If not could you try adding that and trying again.

I think the 9.1 Command Reference includes the command "arp non-connected-subnet" but even though I have that software level i cant find that command format myself. Only the first one I mention

EDIT:

Heres the explanation from 9.0(1) Release Notes for your reference when they added the command

ARP cache additions for non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets  by default. You can now enable the ARP cache to also include  non-directly-connected subnets. We do not recommend enabling this  feature unless you know the security risks. This feature could  facilitate denial of service (DoS) attack against the ASA; a user on any  interface could send out many ARP replies and overload the ASA ARP  table with false entries.

You may want to use this feature if you use:

Secondary subnets.

Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected.

We modified the following screen: Configuration > Device Management > Advanced > ARP > ARP Static Table.

Also available in 8.4(5).

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎02-04-2013 12:08 PM

Also,

I would like to suggest that if you are going to use some public IP addresses directly on the host behind the ASA and NOT as NAT IP addresses on the ASA then use the WHOLE subnet behind the ASA. You cant really use single IP public IP addresses behind the ASA (or any device for matter, unless host IP address on loopback interface etc)

For example

  • Subnet1 = "outside" interface connected network between the ASA and ISP
  • Subnet2 = Subnet directly configured on the ASA "dmz" interface and hosts behind it
  • Subnet3 = Subnet used on ASA for NAT configurations for servers

I would still suggest using only single IP subnet on the ISP router gateway interface towards your ASA and routing the rest towards your ASA (I think this is needed if you want to use the IP addresses behind the ASA)

- Jouni

0 Helpful

Go to solution
maramamarama
Level 1
Level 1
In response to Jouni Forss

‎02-05-2013 12:58 AM

Jouni - it's working!!!!

Thanx a lot for your help

I will probably still have questions but this is a big milestone for me - thanx!

I restored to factory configuration and then did what you told me to do.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to maramamarama

‎02-05-2013 01:00 AM

Hi,

Great that its working now

Please rate the answers and mark the question as answered so others can find the solution easier

Naturally it always helps the motivation to answer on these forums also

Dont hesitate to start new threads when you have questions. Theres usually someone here that can try to help.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card