Solved: ASA 8.4 Two Public ranges

networks · ‎06-17-2013

Hi,

I am implementing internet bandwidth HA provision to a customer.

I am planing to assign 2 public ranges, /26 Public range for their

routed network.

I also want to assign /29 Handoff Network which will be configure

between ASA outside interface and our switch.

Customer has concern Cisco ASA out side interface must be in the

allocated range as he will not be able to nat the assigned range(routed

Network) due to the Cisco restriction from 8.4 onwards

Customer will NAT his internal IP(private range) to /26 Public

IPs on the firewall.

Handoff Net: 60.60.60.0 /29

Routed Net : 70.70.70.0 /26

LAN Net : 192.168.1.0 /24

Please advise if above is possible on code 8.4.

--

Masroor Ahmed

Jouni Forss · ‎06-17-2013

Hi,

I just answered a post on this very section about this matter.

What the customer is most probably referencing to is the 8.4(3) change which means that ASA wouldnt populate nonconnected networks in its ARP table.

Though as you mention that you will be routing the secondary subnet towards the ASA itself, there wont be any problems as ARP is out of the picture. The gateway router will not ARP for the secondary subnets IP addresses MAC address since it has a route for them and doesnt see the secondary subnet as a directly connected network.

If you had the gateway device hold both the public subnets on its gateway interface then you might run into problems. This is because the gateway device would now see the secondary subnet as directly connected and would ARP for the MAC addresses of the public IP addresses. But if you used 8.4(5) software for example, you could just configure "arp permit-nonconnected" to revert the ASA ARP behaviour to the original before the change in 8.4(3)

So there should be no problem

If you route the secondary subnet towards the ASA "outside" IP address which is part of the primary subnet.
If you have the secondary subnet as "secondary" in the gateway device gateway interface then you must enable "arp permit-nonconnected" on the ASA globally for the ASA to be able to populate its ARP table with nonconnected subnets.

You can read my previous reply today in this thread:

https://supportforums.cisco.com/thread/2223317?tstart=0

Also my NAT 8.3+ documentation has a mention of this at the end of the document if you want to have a look

https://supportforums.cisco.com/docs/DOC-31116#MULTIPLE-SUBNETS

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎06-18-2013

Hi,

There should be no problem if, as you say, the other subnet of 70.70.70.0/26 is routed from the upstream gateway towards the ASA "outside" IP address of 60.60.60.1.

As I mentioned above, there is no need for ARP on the upstream router as it has a route for the subnet 70.70.70.0/26 pointing towards the ASA and will therefore forward the traffic to the ASA. And since the ASA has the NAT configurations using those IP addresses it will know how to forward the traffic.

Also as I said before if the subnet 70.70.70.0/26 was actually configured on the same interface on the upstream router as the subnet 60.60.60.0/29 then you might run into problems with ARP as the upstream router would see the subnet 70.70.70.0/26 as directly connected and therefore ARP for their MAC address. In that situation you would either have to change to the routing setup (which you seem to have currently) OR have the correct software level that supports the "arp permit-nonconnected" setting. OR you would have to use 8.4(2) software which didnt have this problem.

The Static NAT configuration that you mention is naturally the NAT configuration format used in software level 8.2 and earlier. In the 8.3+ software levels the NAT configuration format is totally different. But yes, your customer should be able to use the subnet 70.70.70.0/26 IP addresses without any problems.

To sum it all up. Since you are routing the other subnet 70.70.70.0/26 towards the ASA, then there should be no problems related to ARP.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎06-17-2013

Hi,

I just answered a post on this very section about this matter.

What the customer is most probably referencing to is the 8.4(3) change which means that ASA wouldnt populate nonconnected networks in its ARP table.

Though as you mention that you will be routing the secondary subnet towards the ASA itself, there wont be any problems as ARP is out of the picture. The gateway router will not ARP for the secondary subnets IP addresses MAC address since it has a route for them and doesnt see the secondary subnet as a directly connected network.

If you had the gateway device hold both the public subnets on its gateway interface then you might run into problems. This is because the gateway device would now see the secondary subnet as directly connected and would ARP for the MAC addresses of the public IP addresses. But if you used 8.4(5) software for example, you could just configure "arp permit-nonconnected" to revert the ASA ARP behaviour to the original before the change in 8.4(3)

So there should be no problem

If you route the secondary subnet towards the ASA "outside" IP address which is part of the primary subnet.
If you have the secondary subnet as "secondary" in the gateway device gateway interface then you must enable "arp permit-nonconnected" on the ASA globally for the ASA to be able to populate its ARP table with nonconnected subnets.

You can read my previous reply today in this thread:

https://supportforums.cisco.com/thread/2223317?tstart=0

Also my NAT 8.3+ documentation has a mention of this at the end of the document if you want to have a look

https://supportforums.cisco.com/docs/DOC-31116#MULTIPLE-SUBNETS

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

networks · ‎06-18-2013

Thanks Jouni,

Few points to confirm before I check software version with customer.

"Though as you mention that you will be routing the secondary subnet towards the ASA itself, there wont be any problems as ARP is out of the picture. The gateway router will not ARP for the secondary subnets IP addresses MAC address since it has a route for them and doesnt see the secondary subnet as a directly connected network."

I belived you mean a static route 70.70.70.0 /26 via 60.60.60.1 ( ASA outside interface ) on Handoff network.

Assuming 60.60.60.5 IP is configure on my switch interface and 60.60.60.6 VIP for HA.

I understand Customer can simply NAT his internal IPs( 192.168.1.0 /24 ) to ( 70.70.70.0 /26) routed NAT with static

nat (OUTSIDE,INSIDE)

static ( inside,outside ) 70.70.70.34 192.168.1.34 netmask 255.255.255.255

Customer route for outbound

route outside 0.0.0.0 0.0.0.0 60.60.60.6 1

Please advise for above.

Jouni Forss · ‎06-18-2013

Hi,

There should be no problem if, as you say, the other subnet of 70.70.70.0/26 is routed from the upstream gateway towards the ASA "outside" IP address of 60.60.60.1.

As I mentioned above, there is no need for ARP on the upstream router as it has a route for the subnet 70.70.70.0/26 pointing towards the ASA and will therefore forward the traffic to the ASA. And since the ASA has the NAT configurations using those IP addresses it will know how to forward the traffic.

Also as I said before if the subnet 70.70.70.0/26 was actually configured on the same interface on the upstream router as the subnet 60.60.60.0/29 then you might run into problems with ARP as the upstream router would see the subnet 70.70.70.0/26 as directly connected and therefore ARP for their MAC address. In that situation you would either have to change to the routing setup (which you seem to have currently) OR have the correct software level that supports the "arp permit-nonconnected" setting. OR you would have to use 8.4(2) software which didnt have this problem.

The Static NAT configuration that you mention is naturally the NAT configuration format used in software level 8.2 and earlier. In the 8.3+ software levels the NAT configuration format is totally different. But yes, your customer should be able to use the subnet 70.70.70.0/26 IP addresses without any problems.

To sum it all up. Since you are routing the other subnet 70.70.70.0/26 towards the ASA, then there should be no problems related to ARP.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

networks · ‎06-24-2013

Many Thanks Jouni for sharing good knowledge .