Solved: 2 public IP ranges on 2 outside interfaces

Chris_Dickie · ‎03-25-2013

Hi,

Bare with me as I am not very technical and all very new to this, how I have got this far I will never know.

But basically I have a cisco ASA5510 we had 1 public IP range on an outside interface but eventually I have now used all these IPs up so we got given another IP range block.

These 2 ranges are being supplied by the same cable. To assign this range I have turned the management interface into another outside interface and assigned the new IP range. I then added an unmanaged switch in front of the ASA to split the line up to split into the 2 outside interfaces.

My existing outside interface works fine, but with my second new outside interface I cannot get any traffic to be going to it. I am not sure if it might be the default static route or anything.

Can anyone thing of an obvious thing I could have forgotten, I know I haven't explained that much but hopefully someone might be able to say that's not possible or remember to do this.

Thanks,

Chris

Jouni Forss · ‎03-25-2013

Hi,

With that software you shouldnt have any problems that have been common with the newer software levels.

Basically you should be able to configure NAT both using your old and new public IPs.

To be honest the only thing different with the NAT configurations should be the public IP address used. I assume that you have used up the previous public IP addresses by configuring Static NAT for some of your servers? If you are attempting to do the same with the new public IP addresses there shouldnt really be anything different but the actual public IP address used for the NAT configuration.

I dont know if the people at ISP have understood correctly. As you stated you asked them to confirm that they have routed the new public subnet that you were allocated towards the current "outside" interface IP address of the ASA. Shouldnt be hard for the ISP to confirm this

I guess I would have to see the configurations in CLI format to be able to confirm (atleast to some degree) that the configurations are correct. I have never used the graphical user interface (ASDM) to configure NAT for the ASA. Always used the configuration line format, so I am not that great giving examples on the graphical interface.

But as I said, if you have already configured the NAT using the original public subnet (and that is working) then there should be little different using the new public subnet.

- Jouni

View solution in original post

Jouni Forss · ‎03-25-2013

Hi,

There is no need to configure another physical interface to handle the second public IP address range. Actually this just causes more problems regarding routing.

You should ask the ISP to route the second new subnet towards the ASAs current "outside" interface IP address. After this you could simply configure new Static NAT configuration (or other types depending on your need) like you have done before.

I made a document regarding the new 8.3+ NAT format which touches the subject of multiple public subnets. Have a look there

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps Please rate if so and ask more if needed.

- Jouni

Chris_Dickie · ‎03-25-2013

Hi,

Thanks for the response. At the moment the second IP range is already being routed towards the ASA. Hence why I was just using the switch to try and split the 2 ranges.

If I have read your response correctly all I really need to do is issue the command:

arp permit-nonconnected and just do normal PAT rules as usual on the interface is this correct?

Thanks,

Chris

Jouni Forss · ‎03-25-2013

Hi,

You would still face a problem with routing traffic through 2 WAN connections if you stay with this setup. You would also need to decide what traffic to route through which WAN interface since you cant have 2 default routes working at the same time.

If your only need is to have multiple public subnets for NATing your servers and hosts then having 2 "outside" interfaces is a bad choice.

So I would revert to the old network setup with only the single public network between you and your ISP and tell your ISP to route the additional public subnet towards the existing public IP address of the ASA "outside". There is no real need to have 2 WAN interfaces on the ASA.

The "arp permit-nonconnected" doesnt really have to do with this problem at the moment since you have the 2 public subnets on different interfaces.

The "arp permit-nonconnected" is meant to correct a problematic situation where the ISP has configure both of the 2 public subnets in their gateway interface and you are trying to use both of them for NAT. This problem also only causes problems if you are running 8.4(3) or newer software on the ASA.

- Jouni

Jouni Forss · ‎03-25-2013

And to give you an example how your situation could look like from the ISPs and your point of view.

You havent told your ASA software so I will use 8.2 NAT configuration format as example

ISP gateway interface and ASA "outside" interface

interface

ip add 1.1.1.1 255.255.255.248

ip route 2.2.2.8 255.255.255.248 1.1.1.2

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.248

Example ASA NAT configurations using both public subnets

global (outside) 1 interface

global (outside) 2 2.2.2.9

nat (inside) 1 10.10.10.0 255.255.255.0

nat (dmz) 2 10.10.20.0 255.255.255.0

static (inside,outside) 1.1.1.3 10.10.10.3 netmask 255.255.255.255

static (inside,outside) 2.2.2.10 10.10.10.10 netmask 255.255.255.255

Where

1.1.1.0/29 = Is the original public subnet
2.2.2.8/29 = Is the new added public subnet

- Jouni

Chris_Dickie · ‎03-25-2013

Sorry I am pretty rubbish with the commands, only really understand the GUI interface, never done any networking before setting this up. Happy to use the method of using only the 1 interface. Have created PAT rules the same as before but no avail. Do I need to create a NAT rule on the outside interface mapping to an internal address?

I asked out provider can they make sure the new IP range is routed to the IP address of the outside interface and they just told me:

"To confirm, you will need to configure the new range on your firewall. "

Thanks for your patience,

Chris

Chris_Dickie · ‎03-25-2013

Got 8.2(5) btw

Jouni Forss · ‎03-25-2013

Hi,

With that software you shouldnt have any problems that have been common with the newer software levels.

Basically you should be able to configure NAT both using your old and new public IPs.

To be honest the only thing different with the NAT configurations should be the public IP address used. I assume that you have used up the previous public IP addresses by configuring Static NAT for some of your servers? If you are attempting to do the same with the new public IP addresses there shouldnt really be anything different but the actual public IP address used for the NAT configuration.

I dont know if the people at ISP have understood correctly. As you stated you asked them to confirm that they have routed the new public subnet that you were allocated towards the current "outside" interface IP address of the ASA. Shouldnt be hard for the ISP to confirm this

I guess I would have to see the configurations in CLI format to be able to confirm (atleast to some degree) that the configurations are correct. I have never used the graphical user interface (ASDM) to configure NAT for the ASA. Always used the configuration line format, so I am not that great giving examples on the graphical interface.

But as I said, if you have already configured the NAT using the original public subnet (and that is working) then there should be little different using the new public subnet.

- Jouni

Chris_Dickie · ‎03-25-2013

Thanks I can only asume the problem is the ISP itself not routing the new range to my existing interface IP.

Currently it's just ROUTER ------> FIREWALL and I am guessing their rules are just the subnets are out the router interface but not specifically set to route it to the firewall interface.

Thanks,

Chris

Jouni Forss · ‎03-25-2013

Hi,

I actually think that since you are running 8.2(5) that the problem that I mentioned in my document doesnt really apply to your situation. My document dealt only with 8.3 and newer softwares which are totally different related to NAT for example.

Even if they configured the new subnet as "secondary" IP address on their gateway device it should still enable to use them normally since you are running an older software and wouldnt run into problems with the change to ARP behaviour in the newer softwares.

I assume that the ROUTER is ISP controlled?

I think you should confirm the routing configurations with the ISP as you say and also try to test connectivity with some LAN test how while using a Static NAT to a new public IP address for that host.

Let us know if you get this sorted out with the ISP.

Other than that I think we can only really help you confirm that your configuration format is correct if we can see the actual CLI configurations of the ASA. Naturally you should in that case "mask" part of the public IP addresses used before posting them here on the forums.

- Jouni

Chris_Dickie · ‎03-26-2013

Got the ISP to route the new subnet directly to the current ASA outside interface, noticed lots of packets being blocked for a very similar subnet.

Turns out they had mistyped the subnet in the original email they sent me and so none of my solutions would have ever worked. Changed everything to the subnet typed correctly and all has burst into life.

Thanks for your help Jouni.