ASA 5505 Two LANs with same IP schema

Abhishek Shah · ‎01-07-2013

Hello eveyone,

I have ASA 5505 firewall with Security Plus license. As we plan to create disaster recovery plan for our client I had an issue with same IP schema.

Current IP Schema:

On ASA 5505 Info:

LAN IP address: 172.20.1.x

WAN Ip address: 1.1.1.1

We would like to access 172.20.1.x access from firewall with same schema, like access 172.20.1.x network from 172.20.1.x network.

I need same schema on other end because of disaster recovery plan.

Senario:

WAN -----------ASA Firewall --------------LAN 172.20.1.x

|

Additional LAN 172.20.1.x

My question is how can I access additional LAN network 172.20.1.x from orignal LAN 172.20.1.x network.

How can I accomplish this, Do I need to add other layer 3 device??

Any suggestion would be greatly appreciate..........

Thank you..

Jouni Forss · ‎01-07-2013

Hi,

First I would ask why is there 2 LANs with same network and why would you want to keep it that way?

If you need to have 2 different LANs connected to the ASA I would suggest simply changing the others network to something else to avoid problems.

If changing either networks address space is not "possible" I guess you would need to NAT both of the networks to make it possible for the 2 networks to communicate.

- Jouni

Abhishek Shah · ‎01-07-2013

Thank you for reply me back.

I have to use same IP schema on additional LAN because of the disaster recovery plan we are implementing.

Accorinding to disaster recovery plan we have to assign same IP address as my prodction server has.

Server ------------------------------------------------------ Server

| |

LAN 172.20.1.11 Additional LAN 172.20.1.11

In this case i can not change my IP schema.

What options I have to implemet this..

I did try with NAT but i can not assign same IP addres on both interface..

Will it be done by additional layer 3 device????

Abhishek Shah · ‎01-14-2013

I did Configure NAT on both Firewall still not able to access network with NATed IP address.

Can you please take a look at Configuration???

Thank you!!!!

frederic_hohn · ‎01-07-2013

Hi,

this documents show`s how to connect the two LANs using NAT to hide the real IPs.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080b37d0b.sht

Abhishek Shah · ‎01-07-2013

I know I can do that via VPN.

In my senario I had two network with IP schema and access via LAN not via WAN.

frederic_hohn · ‎01-07-2013

I dont think that this will be possible just with the LANs directly connected to the asa. If it is, i would like to see the config :) If there is no way to change the real IPs in the second LAN, i would use another l3-device to do the nat like in the vpn-scenario.

Sent from Cisco Technical Support Android App

Abhishek Shah · ‎01-07-2013

I am willing to buy a layer 3 device to get this going.

Can you please give some example, how can i implemet this?

Thank you....

frederic_hohn · ‎01-07-2013

If you attach another asa 5505 to the existing one using a seperate LAN on the link for example, you will have the scenario from the vpn document i posted. You dont need the vpn of course, only a single route to the "faked" LAN. But the natting would be the same like shown.

Sent from Cisco Technical Support Android App

Abhishek Shah · ‎01-07-2013

Sorry for the delay response.

Let say I have Prodauction Firewall as Firewall A and Additional Firewall as Firewall B

Firewall A:

Inside: 172.20.1.254

Outside: 1.1.1.1

DMZ: 192.168.1.1 with Security level 100

Firewall B:

Inside: 172.20.1.254

DMZ: 192.168.1.2 with Security level 100

Connect Firewall B interface in DMZ to Firewall interface A DMZ interface.

Is that senario will work, Do I need to configure NAT or Static route?

If you can broadly explain that will be really helpful..

Jouni Forss · ‎01-07-2013

Hi,

After this you would need to also

NAT Firewall A INSIDE to another /24 network, for example 10.10.1.0/24
NAT Firewall B INSIDE to another /24 network, for example 10.10.2.0/24
Add route on Firewall A for network 10.10.2.0/24 pointing towards Firewall B DMZ IP of 192.168.1.2
Add route on Firewall B for network 10.10.1.0/24 pointing towards Firewall A DMZ IP of 192.168.1.1

You need NAT for both INSIDEs towards the other INSIDE for the traffic to flow.

- Jouni

Abhishek Shah · ‎01-07-2013

Hello,

My both firewall has same Inside network as you exolain in previous example

I have Firewall A has 10.10.1.x network also Firewall B has 10.10.1.x network not the 10.10.2.x....

Also do i need to connect both firewall via DMZ interface????

Jouni Forss · ‎01-07-2013

Hi,

For the 2 overlapping networks of 172.20.1.0/24 to be able to connect to eachtother you will simply need to NAT both of the LANs to something else.

What I mean with the above is that

You Connect the ASAs through the DMZ interface
Firewall As network 172.20.1.0/24 will be NATed to 10.10.1.0/24 for example that it doesnt show to Firewall B with its original IP addresses
Firewall Bs network 172.20.1.0/24 will be NATed to 10.10.2.0/24 for example that it doesnt show to Firewall A with its ogirinal IP addresses

If you dont NAT both LAN networks they simply wont be able to connect to eachother because traffic wont be routed correctly. NAT networks can be something else than 10.10.x.0/24 if needed.

- Jouni

Abhishek Shah · ‎01-14-2013

So far I get this far...

Create Inside VLAN and DMZ vlan on both firewall and connect both firewall via DMZ, still not able access both networks via nated IP address.

Firewall A Firewall B

Inside: 172.20.1.1 Inside: 172.20.1.1

DMZ: 192.168.1.1 DMZ: 192.168.1.2

Inside Nated IP: 192.168.2.0 Inside Nated IP: 192.168.3.0

Here I attached Both Firewall configuration:

Firewall A

show run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
<--- More --->

!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.1.1 255.255.255.0
!
interface Vlan2
nameif dmz
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list new extended permit ip any any
access-list policy-nat extended permit ip 172.20.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list dmz_access extended permit ip any any
pager lines 24
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
<--- More --->

static (inside,dmz) 192.168.2.0 access-list policy-nat
access-group new in interface inside
access-group dmz_access in interface dmz
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
<--- More --->

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
<--- More --->

inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c543b6bfbaf778425d78f5a9dd20963e
: end

ciscoasa#

-------------------------------------------------------------------------------------------------------------------

Firewall B Configuration:

show run
: Saved
:
ASA Version 7.2(4)

!
hostname ciscoasa
enable
password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!

interface
Vlan1

nameif inside

security-level 100

ip address 172.20.1.1 255.255.255.0
!

interface Vlan2

nameif dmz

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

!

interface Ethernet0/2

!
<--- More --->

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 2
!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list new extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list new extended permit ip any any

access-list policy-nat extended permit ip 172.20.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list dmz_access extended permit ip any any

pager lines 24
mtu
inside 1500
mtu
dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable
arp
timeout 14400

static (inside,dmz) 192.168.3.0 access-list policy-nat

access-group new in interface inside

access-group dmz_access in interface dmz

route inside 192.168.3.0 255.255.255.0 192.168.1.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
<--- More --->

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
<--- More --->

inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c543b6bfbaf778425d78f5a9dd20963e
: end

ciscoasa#