ASA5505 SOHO public ip range and nat head ache

Click Click · ‎09-02-2014

Hello

Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.

LAN > ASA5505 > VDSL Modem > ISP

the range they have given us is

Number of IP addresses: 8
IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
Subnet mask: 255.255.255.248
Subnet in slash notation: XX.XX.XXX.40 /29
Network address: XX.XX.XXX.40

XX.XX.XXX.41
XX.XX.XXX.42
XX.XX.XXX.43
XX.XX.XXX.44
XX.XX.XXX.45
XX.XX.XXX.46 Router

Broadcast address: XX.XX.XXX.47
Router address: XX.XX.XXX.46

i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.

we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.

Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,

any info or advice would be gratefully received.

regards

C.

nkarthikeyan · ‎09-03-2014

Hi,

Since you have the public subnet pointed to your asa outside interface ip from your isp..... so you do not need to worry about anything..... you can use other ip addresses for your NAT/PAT.... for testing you can remove the NAT statement as interface to a different ip in that stack....

say nat (inside,outside) dynamic <x.x.x.41>

It will work.... in case if you want to use the spare ip address for a servers inside the network.... you need to do the static nat.... for those servers with that ip range..... allow the required traffic to the server on outside interface acl....

Regards

Karthik

nmdservices · ‎09-03-2014

:edit

Karsten Iwen · ‎09-03-2014

In a scenario like yours, it's very likely that the provider has routed the extra network to your PPPoE assigned address. with that you need three config-elements (I assume you are running an actual ASA v8.4 or newer):

~~arp permit-nonconnected~~
NAT-statements for your servers
ACL-staement on the outside-ACL to allow the communication

Click Click · ‎09-03-2014

Hello

the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4

debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?

the nat rules i have are

nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet

nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101

access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7

object-group service DM_INLINE_TCP_7 tcp
port-object eq 902
port-object eq www
port-object eq https

thanks for the help

nkarthikeyan · ‎09-03-2014

Hi,

If you procure a subnet from ISP, it should be routed to your device from their subnet...

You can ping x.x.x.46 because it is a connected interface ip.... you cannot ping the other one because you have just allowed for port forwarding..... it cannot be checked with ping.....

to test that you should do....

from outside pc.... do telnet x.x.x.45 80 / telnet x.x.x.45 443 else do a real test using browser.....

Regards

Karthik

Click Click · ‎09-03-2014

thank you for the advice, this is now working. using the telnet test worked and i was baffled not being able to ping the ip when that would never be possible.

thank you agian

c.

Karsten Iwen · ‎09-03-2014

> how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?

That's their task to configure it.

> i see no pings/traffic received on the asa for the other addresses.

~~have you configured arp permit-nonconnected?~~ After thinking twice again, that's not needed in this scenario when the network is routed to the ASA.

And it seems that your ACL/NAT doesn't allow icmp/echo.

Why have you configured no-proxy-arp on your nat-rules?

Click Click · ‎09-03-2014

thank you for the reply and the info, i have now got it working :)