Re: ASA 5505 with two blocks of outside IPs...

Thomas.nelson4 · ‎10-05-2012

I am trying to configure my ASA 5505 security plus through ASDM to receive two blocks of outside IPs (each of which is on a different subnet and a different gateway ip) to translate to my internal server giving it public access... I have searched for days (and maybe incorrectly) but I am finally asking if anyone can help me out on the configuration of the ASA to support this... Any help is appreciated.

Thomas

Sent from Cisco Technical Support iPhone App

hobbe · ‎10-05-2012

Hi

The 5505 can not do that as such.

It does not know how to do policy based routing.

so what you can do is always (except when it is down) use Internet link 1 for outbound traffic and when it goes down you use Link 2. (or you can separate the Internet in 2 parts and give half or a part of it to always go over Link 1 and the other part over link 2)

At the same time you are using link 1 and having link 2 as backup you can use Both link 1 and 2 for inbound connections use the standard NAT/PAT (static) for that.

Many of us wish for the ASA to get Policy based routing so we can solve this problem,

Good luck

HTH

Julio Carvajal · ‎10-05-2012

Hello Thomas,

I will be more than glad to help, but first I need to understand some things.

1) What version are you running?

2) What are you looking for this? Redundancy, load balancing,etc ( as no all of the options are supported)

3) You will have 2 dedicated SVI ( VLAN) connecting to the internet right?

Regards,

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jennifer Halim · ‎10-05-2012

If i understand you correctly, you have 2 blocks of public ip addresses, and you just want to use that to configure NAT for your internal server.

If the above is correct, all you have to do is route those 2 blocks of public ip addresses towards the ASA outside interface (interface that is connected to the internet).

Then just configure the necessary NAT translation and allow the inbound access via access-list and apply the access-list on the outside interface.

Hope that answers your question.

Thomas.nelson4 · ‎10-05-2012

Okay, you understand what I am doing... And I haven't replied to anyone else because I am unsure of what version asdm and Asa I am using, BUT, are you telling me that what I need to do isn't inside of the ASA as far as directing the IPs, but somewhere else? I'm sorry, but how do I direct the second block of IPs that is on a different subnet (even though it is a direct continuation of IPs) to the same part of my Asa when the gateway for my outside vlan is setup for the gateway of the first block...

Sent from Cisco Technical Support iPhone App

Julio Carvajal · ‎10-05-2012

but how do I direct the second block of IPs that is on a different subnet (even though it is a direct continuation of IPs) to the same part of my Asa when the gateway for my outside vlan is setup for the gateway of the first block.??

A/ Proxy Arp if you are running a version lower than 8.4.3 or do a static arp entry for those host ( second subnet IP) on the ISP primary gateway.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thomas.nelson4 · ‎10-11-2012

Okay, so I applied a proxy arp to direct both outside ip addresses (the first in each block) to the outside interface MAC address, but it still isn't working... Did I skip something?

Sent from Cisco Technical Support iPhone App