Hello everyone, thank you for taking the time to read this. I am the lucky owner of a Cisco ASA 5520 that I got for my home network on my birthday. I'm pretty green when it comes to this stuff so please forgive me if I am making a rookie mistake.
What I am trying to do seemed like it should be theoretically possible in my head, but I can't for the life of me get it to work. Let me try and describe what I am trying to do.
Topology:
ASA 5520:
- g0/0 - Verizon uplink
- g0/1 - Trunk from Catalyst for 3 VLANs
- g0/1.10 - Inside VLAN
- g0/1.11 - Malware analysis VLAN
- g0/1.12 - Blockchain/mining VLAN
- g0/2 - ExpressVPN uplink
- g0/3 - Unused
Catalyst 3560G:
- g0/1-g0/16 VLAN 10
- g0/17-g0/32 VLAN 11
- g0/33-g0/47 VLAN 12
- g0/48 Trunks all VLANs to ASA g0/1
Nutshell version: I have a Verizon Fios (outside) uplink in g0/0 and an ExpressVPN (expressvpn) uplink on g0/2. I am trying to NAT my inside subnet out g0/0 and my malware analysis and blockchain subnets out g0/2.
Everything works fine if I NAT the subnets to the g0/0 (outside) interface, but it will not work if I try and NAT any of the subnets out g0/2 (expressvpn).
In the name of full disclosure, I am doing some hokey stuff with the ExpressVPN link. That link comes from a Linksys WRT3200ACM that has a 24/7 VPN tunnel running to ExpressVPN and anything that connects to it's inside network is tunneled over the VPN.
The stupid part is I don't have two internet connections, I'm actually connecting the Linksys' WAN to the inside VLAN and it's being sent out g0/0 (Verizon) for the establishment of the VPN tunnel, then I'm connecting the ASA's g0/2 to it's inside network so it goes out of the VPN tunnel.
You can yell at me, I know this is some stupid hackery, but it works. Rather, worked until I tried to duplicate the behavior with the ASA.
I've included what I think is the relevant portions of my running-config. So, if you haven't bought a plane ticket to come punch me in the face yet, do you see what I'm doing wrong?
Thank you in advance!
object network inside
subnet 10.10.10.0 255.255.255.0
description Internal subnet
object network malware
subnet 10.10.11.0 255.255.255.0
description Malware analysis subnet
object network mining
subnet 10.10.12.0 255.255.255.0
description Blockchain subnet
!
interface GigabitEthernet0/0
description Verizon Fios uplink
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.10
description Internal network
vlan 10
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.11
description Malware network
vlan 11
nameif malware
security-level 80
ip address 10.10.11.1 255.255.255.0
!
interface GigabitEthernet0/1.12
description Blockchain network
vlan 12
nameif mining
security-level 90
ip address 10.10.12.1 255.255.255.0
!
interface GigabitEthernet0/2
description ExpressVPN uplink
nameif expressvpn
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
object network inside
nat (inside,outside) dynamic interface
object network malware
nat (malware,expressvpn) dynamic interface
object network mining
nat (mining,expressvpn) dynamic interface
