Solved: ASA 5510-Query

Anukalp S · ‎06-12-2013

Hi..

I have taken a new internet link from ISP for my new office. I am planning to terminate link directly on ASA since we want to save the cost for router.

I am not much aware if this set up is more secure and functional fine. Need more inputs on this.

Also i am provided with below IPs, so need help to configure this on mentioned set up.

PE ip : x.x.x.17/30

CE ip : x.x.x.18/30

public ip pool : y.y.y.28/28

Jouni Forss · ‎06-12-2013

Hi,

You are correct about the Dynamic PAT address. Its the one configured in my above reply.

Now with regards to the second subnet.

The good thing in your case is that the ISP has routed this network towards your ASA "outside" interface IP address. This means that when traffic is coming from the Internet towards some public IP address from the ISP gateway then the ISP gateway will simply forward the traffic to your ASA.

When the ASA receives the traffic it naturally sees traffic coming towards one of its Static NAT IP addresses and everything works just fine provided the Static NAT configuration, the ACL allowing the traffic and the actual server is configured correctly.

ARP doesnt come into play at any point here with regards to the public subnet with /28 mask. Since the ISP has a route for that network towards the ASA "outside" inteface it will NEVER ARP for the MAC address of the server. This is because ARP is only used if the device sees the subnet as directly connected. Now that the ISP has a route for the network behind some other L3 hop in the network it simply forward the traffic to the ASA.

So there should be no problems related to ARP with your setup.

There isnt either any problem having these public IP addresses as NAT IP address on your ASAs configurations either. This is a very typical scenario and in your case should not provide any problems

- Jouni

View solution in original post

Jouni Forss · ‎06-12-2013

Hi,

I dont see a problem with the setup. The ASA is Security device and is supposed to be located on the edge of the network. Naturally there are setup where there is even a device in front of ASA filtering traffi that can reach the ASA.

The configuration of the "outside" interface should be pretty basic just like any other ASA interface

For example

interface Ethernet0/0

description WAN

nameif outside

security-level 0

ip add x.x.x.18 255.255.255.252

no shutdown

route outside 0.0.0.0 0.0.0.0 x.x.x.17

Naturally you will need the basic NAT configuration and such for the whole setup to work.

Your public IP pools network address doesnt however match the network mask of /28

But if you have an additional public subnet/network allocated by the ISP then you can start directly configuring NAT configuration using its IP addresses. Or perhaps even use it behind the actual ASA firewall depending on your needs.

Depending on what software you are using on the ASA firewall there might be some things you need to take into consideration with this additional public subnet.

I imagine that the ISP has routed that public subnet towards your IP address of x.x.x.18?

Hope this helps

- Jouni

Anukalp S · ‎06-12-2013

Hi Jouni..

Thanks for your information, actually public ip pool mentioned above just for example.

So you mean to say that if we go with this setup then /32 ip is not required to configure. I need to configure a ip from public pool on outside interface and then PAT it with my inside IPs.

I am running 8.4(5) software.

Jouni Forss · ‎06-12-2013

Hi,

I am not sure if I understood you correctly here but correct if I am wrong.

You have

A small subnet of /30 mask that is configured directly between your ASA and the ISP gateway
A small subnet of /28 mask that will be used for NAT purposes

If you just wanted to configure a Dynamic PAT for all your LAN users then you can also use the "outside" interface IP address and not waste any public IP addresses from the actual extra public subnet you got from your ISP

If you for example just had "inside" and "outside" interface and a network 10.10.10.0/24 behind the "inside" interface then you could configure the default Dynamic PAT rule like this for example

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

What I am wondering about the additional public subnet of /28 mask. Has the ISP said that they have routed the network towards your public IP address that is configured on the ASA "outside" interface? Or is that subnet also configured on their gateway device?

In that case you might have to enable this command also.

arp permit-nonconnected

This will enable that you can use a subnet on the ASA for NAT when that subnet in question is not configured on any actual interface of your ASA. And to me this seems to be the case in your setup since you have been allocated 2 public subnets.

But if you need this configuration depends totally how the ISP has handled the second subnet of /28 mask. If its routed towards your ASA "outside" interface IP address then there is no problem. If they have configured that network directly on their gateway device then you will need the above command to be able to use those IP addresses in your NAT configuration and for them to work.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Or ask more if needed

- Jouni

Anukalp S · ‎06-12-2013

Hi Jouni..

ISP has routed this /28 public pool towards CE ip (x.x.x.18) which is configured on outside interface. In that case my inside IPs would be PAT with x.x.x.18.

But i am wondering that how static NAT would work. If i do static NAT with a /28 public pool then how it will work since this pool is not configured any where. And what would be ARP of this NAT ip.

Need you help on this pls.

Jouni Forss · ‎06-12-2013

Hi,

You are correct about the Dynamic PAT address. Its the one configured in my above reply.

Now with regards to the second subnet.

The good thing in your case is that the ISP has routed this network towards your ASA "outside" interface IP address. This means that when traffic is coming from the Internet towards some public IP address from the ISP gateway then the ISP gateway will simply forward the traffic to your ASA.

When the ASA receives the traffic it naturally sees traffic coming towards one of its Static NAT IP addresses and everything works just fine provided the Static NAT configuration, the ACL allowing the traffic and the actual server is configured correctly.

ARP doesnt come into play at any point here with regards to the public subnet with /28 mask. Since the ISP has a route for that network towards the ASA "outside" inteface it will NEVER ARP for the MAC address of the server. This is because ARP is only used if the device sees the subnet as directly connected. Now that the ISP has a route for the network behind some other L3 hop in the network it simply forward the traffic to the ASA.

So there should be no problems related to ARP with your setup.

There isnt either any problem having these public IP addresses as NAT IP address on your ASAs configurations either. This is a very typical scenario and in your case should not provide any problems

- Jouni

Anukalp S · ‎06-12-2013

Thanks Jouni..

It means that second subnet is not needed to configure on any interfaces, and if is static NAT with any server then this will work fine.This was actually my concern.