Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
0
Helpful
7
Replies

ASA 5512 with multiple public IP

jet.chuk
Level 1
Level 1

‎07-30-2017 11:33 PM - edited ‎03-12-2019 02:45 AM

We config 3 public IP point to (NAT) 3 internal IP, one by one.

Gateway of all 3 internal IP is set as the internal port of ASA 5512.

When we clear gateway on the one of the 3 internal IP (first one),  the other one network interface (second one) will down for few minutes. But when we do the same change on the second one, the first one has no impact (not down).

What could cause the impact to second one when we were clearing gateway setting of first one?

Is it stable with multiple public IP NAT separate internal IP?

Thanks in advance.

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Spooster IT Services
Level 7
Level 7

‎08-01-2017 06:00 AM

Hi jet.chuk@gzmeg,

Can you post your rough network diagram with an issue you are facing?

Spooster IT Services Team
0 Helpful

jet.chuk
Level 1
Level 1
In response to Spooster IT Services

‎08-01-2017 07:24 PM

This is our diagram

First issue:

When we clear the gateway of A, internet connection of B will break for few minutes.

When we add the gateway of A back, internet connection of B will break for few minutes again.

Another issue (not appears againg after we changed new server and firewall):

2 months ago, we couldn't access C from outside (Internet)

then we accessed it by other server through internal ip, could not ping gateway 10.1.0.254 from C

After changed the internal ip of C, could ping gateway, and changed the NAT on the 5512, we could access C from outside. But for a while, we could not access C from outside again.

We just could access C from outside for a while every time we changed the internal IP of C and NAT.

Preview file
27 KB
0 Helpful

zaydiip
Level 1
Level 1
In response to jet.chuk

‎08-02-2017 04:34 AM

Hi Jet,

Which version is installed on ASA?

Can you share us the NAT config and the access-list configured for all these 3 servers?

 

0 Helpful

jet.chuk
Level 1
Level 1
In response to zaydiip

‎08-04-2017 12:49 AM

ASA9.1(2)

FW-5512# show xlate
37 in use, 455 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:10.1.0.1 to outside:123.17.104.53
flags s idle 0:00:00 timeout 0:00:00
NAT from inside:10.1.0.3 to outside:123.17.104.50
flags s idle 0:00:02 timeout 0:00:00
NAT from inside:10.1.0.8 to outside:123.17.104.56
flags s idle 0:00:07 timeout 0:00:00
TCP PAT from inside:10.1.0.33 3389-3389 to outside:123.17.104.51 33891-33891
flags sr idle 877:23:51 timeout 0:00:00
NAT from inside:10.1.0.57 to outside:123.17.104.57
flags s idle 1:07:10 timeout 0:00:00
NAT from inside:10.1.0.58 to outside:123.17.104.58
flags s idle 0:35:19 timeout 0:00:00
NAT from inside:10.1.0.59 to outside:123.17.104.59
flags s idle 1:07:02 timeout 0:00:00
NAT from inside:10.1.0.60 to outside:123.17.104.60
flags s idle 0:35:31 timeout 0:00:00
NAT from inside:10.1.0.61 to outside:123.17.104.61
flags s idle 0:00:25 timeout 0:00:00
NAT from inside:10.1.0.63 to outside:123.17.104.63
flags s idle 162:34:38 timeout 0:00:00
NAT from inside:10.1.0.200 to outside:123.17.104.52
flags s idle 0:00:09 timeout 0:00:00
NAT from inside:10.1.0.240 to outside:123.17.104.49
flags s idle 1:04:32 timeout 0:00:00
TCP PAT from inside:10.1.0.250 22-22 to outside:123.17.104.51 2223-2223
flags sr idle 313:00:03 timeout 0:00:00
TCP PAT from inside:10.1.0.250 80-80 to outside:123.17.104.51 12588-12588
flags sr idle 315:03:47 timeout 0:00:00
ICMP PAT from inside:10.1.0.250/43572 to outside:123.17.104.51/43572 flags ri idle 895:56:51 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/24865 to outside:123.17.104.51/24865 flags ri idle 896:36:47 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/63821 to outside:123.17.104.51/63821 flags ri idle 895:04:41 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/29711 to outside:123.17.104.51/29711 flags ri idle 824:50:09 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/31306 to outside:123.17.104.51/31306 flags ri idle 895:11:41 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/44598 to outside:123.17.104.51/44598 flags ri idle 895:52:44 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/29219 to outside:123.17.104.51/29219 flags ri idle 900:53:15 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/55402 to outside:123.17.104.51/55402 flags ri idle 894:03:37 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/3602 to outside:123.17.104.51/3602 flags ri idle 897:08:02 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/22076 to outside:123.17.104.51/22076 flags ri idle 895:40:55 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/6722 to outside:123.17.104.51/6722 flags ri idle 895:28:52 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/32334 to outside:123.17.104.51/32334 flags ri idle 908:06:33 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/65402 to outside:123.17.104.51/65402 flags ri idle 893:30:35 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/33151 to outside:123.17.104.51/33151 flags ri idle 897:43:51 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/35187 to outside:123.17.104.51/35187 flags ri idle 893:45:43 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/38153 to outside:123.17.104.51/38153 flags ri idle 897:25:50 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/6507 to outside:123.17.104.51/6507 flags ri idle 898:25:53 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/33381 to outside:123.17.104.51/33381 flags ri idle 894:14:38 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/42345 to outside:123.17.104.51/42345 flags ri idle 898:28:53 timeout 0:00:30
UDP PAT from inside:10.1.0.250/56316 to outside:123.17.104.51/56316 flags ri idle 448:30:08 timeout 0:00:30
ICMP PAT from inside:10.1.0.250/9779 to outside:123.17.104.51/9779 flags ri idle 895:59:54 timeout 0:00:30
ICMP PAT from inside:10.1.0.249/27517 to outside:123.17.104.51/27517 flags ri idle 0:00:11 timeout 0:00:30
ICMP PAT from inside:10.1.0.249/41287 to outside:123.17.104.51/41287 flags ri idle 211:05:55 timeout 0:00:30

===
FW-5512# show configuration
: Saved
: Written by enable_15 at 11:57:52.611 HKST Fri Jul 28 2017
!
ASA Version 9.1(2)
!
hostname FW-5512
domain-name h.hk
enable password n111f3F/8dn encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.17.104.51 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.0.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
no ip address



===
access-list inside_out extended permit icmp any any
access-list inside_out extended permit udp 10.1.0.0 255.255.255.0 any
access-list inside_out extended permit tcp 10.1.0.0 255.255.255.0 any
access-list inside_out extended permit ip host 10.1.0.248 host 211.176.13.65
access-list outside_in extended permit tcp any host 10.1.0.1 object-group M_L_service
access-list outside_in extended permit tcp any host 10.1.0.3 object-group M_D_service
access-list outside_in extended permit ip host 141.23.16.140 host 10.1.0.3
access-list outside_in extended permit icmp any host 10.1.0.1
access-list outside_in extended permit tcp any host 10.1.0.200 object-group E_service
access-list outside_in extended permit icmp any host 10.1.0.3
access-list outside_in extended permit ip host 59.96.19.142 host 10.1.0.1
access-list outside_in extended permit ip host 14.25.19.199 host 10.1.0.1
access-list outside_in extended permit icmp any host 10.1.0.250 echo-reply
access-list outside_in extended permit ip object-group G_su host 10.1.0.3
access-list outside_in extended permit tcp object-group G_su host 10.1.0.3
access-list outside_in extended permit udp object-group G_su host 10.1.0.3
access-list outside_in extended permit icmp object-group G_su host 10.1.0.3
access-list outside_in extended permit tcp any host 10.1.0.250 object-group C_service
access-list outside_in extended permit icmp any host 10.1.0.249
access-list outside_in extended permit udp any host 10.1.0.249
access-list outside_in extended permit ip any host 10.1.0.249
access-list outside_in extended permit tcp any host 10.1.0.249
access-list outside_in extended permit tcp object-group G_su host 10.1.0.240 object-group G_su_services
access-list outside_in extended permit tcp any host 10.1.0.240 object-group M_B_service
access-list outside_in extended permit tcp object-group g_server host 10.1.0.240 object-group sservice
access-list outside_in extended permit ip host 211.176.13.65 host 10.1.0.240
access-list outside_in extended permit tcp object-group 26th host 10.1.0.240
access-list outside_in extended permit icmp any host 10.1.0.240 echo-reply
access-list outside_in extended permit tcp object-group G_su host 10.1.0.240 object-group sservice
access-list outside_in extended permit ip host 13.227.19.106 host 10.1.0.1
access-list outside_in extended permit tcp host 13.227.19.106 host 10.1.0.1
access-list outside_in extended permit udp host 13.227.19.106 host 10.1.0.1
access-list outside_in extended permit icmp host 13.227.19.106 host 10.1.0.1
access-list outside_in extended permit tcp any host 10.1.0.8 object-group M_B_service
access-list outside_in extended permit tcp object-group G_su host 10.1.0.8 object-group G_su_services
access-list outside_in extended permit tcp object-group g_server host 10.1.0.8 object-group sservice
access-list outside_in extended permit tcp object-group 7_26th host 10.1.0.8
access-list outside_in extended permit ip host 211.176.13.65 host 10.1.0.8
access-list outside_in extended permit icmp any host 10.1.0.8 echo-reply
access-list outside_in extended permit icmp any host 10.1.0.8
access-list outside_in extended permit tcp any host 10.1.0.57 object-group M_L_service
access-list outside_in extended permit tcp any host 10.1.0.58 object-group M_L_service
access-list outside_in extended permit tcp any host 10.1.0.59 object-group M_L_service
access-list outside_in extended permit tcp any host 10.1.0.60 object-group M_L_service
access-list outside_in extended permit tcp any host 10.1.0.63 object-group M_L_service
access-list outside_in extended permit tcp any host 10.1.0.61 object-group M_L_61_service

===
arp inside 10.1.0.1 1401.ec2f.0e83
arp inside 10.1.0.3 f091.1c12.7df3
arp timeout 3600
arp permit-nonconnected
!
object network M_L
nat (inside,outside) static 123.17.104.53
object network M_D
nat (inside,outside) static 123.17.104.50
object network cactiweb
nat (inside,outside) static interface service tcp www 12588
object network E
nat (inside,outside) static 123.17.104.52
object network cac
nat (inside,outside) static interface service tcp ssh 2223
object network internal
nat (inside,outside) dynamic interface

0 Helpful

Spooster IT Services
Level 7
Level 7
In response to jet.chuk

‎08-04-2017 06:02 AM

Hi jet.chuk@gzmega,

Are these physical servers or VM's? If they are VM's then make sure that your switchport where physical host is connected should be configured as "spanning tree portfast". Otherwise spanning tree will take some time to converse if you make any changes on server side.

Spooster IT Services Team
0 Helpful

jet.chuk
Level 1
Level 1
In response to Spooster IT Services

‎08-05-2017 05:22 AM

physical server

0 Helpful

jet.chuk
Level 1
Level 1
In response to Spooster IT Services

‎08-06-2017 07:25 PM

ps. there is a HP switch between 5512 and servrs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card