cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2976
Views
5
Helpful
19
Replies

Assigning multiple Public IP's to ASA 5512-X

machine23
Level 1
Level 1

Hi , 

I have been provided with 5 usable ip's x.x.x.x/29 from the ISP

I need to assign 5 public ips to my ASA using VLANS 

How do i go about configuring the outside interface?

Currently WAN connection goes to int 0/0 and I have assigned that an IP address provided -81.209.115.101 I would like to assign the second IP on 0/0.200 another available ip -81.209.115.102

Inside network is not yet ready -- but assume there is one ( how would the NAT /ACL's be done in this situation)

Please can someone advice me on this configuration...

 

Thanks:) 

19 Replies 19

kubn2
Level 1
Level 1

Hi,

 

Well the whole post is a little unclear, for me at least. 

At the very begginig you said you need to assign 5 public ips to one interface.

After that you talking about to sub interface assiging 10.20.30.200 ip which is private IP.

It matter becuse configuration will differ if your ISP want you to do encapsulation on the WAN interface or not.

Also do you want to make one vlan = 1 public ip or all vlans using pool of all avaiable IPs?

 

Hi Sorry  i cannot post any configs yet as not much has been done.. I have updated the IP address .. its a public one.

 

So yes I need for eg:  vlan1 - with 1 public ip , vlan2 with the another public ip and so on ..

 

So the outside interface where the WAN line comes in, how would that be configured and from there how can I assign available public ips to different vlans.. 

 

Thanks for your inputs and help.

 

For one interface on ASA you can assign only one ip address. So from the pool of 5 addresses assign one to WAN interface.

I don't have ASA avaiable now but configuration can look like this:

create access list called for example: "V10" and permit in this acl whole Vlan 10 subnet so for example 10.10.10.0 255.255.255.0

after that create nat (inside) 10 access-list V10

after that global (outside) 10 81.209.115.102.

So now all traffic from Vlan 10 which is 10.10.10.0/24 should use public ip of 81.209.115.102. 

Now you just repat this for each subnet but do not reuse V10 or 10 number because it will messup.

@kubn2 your post cites the old (pre-8.3) NAT syntax.

@machine23 you should use object NAT. Create an object for each internal VLAN/subnet and then an associated NAT rule telling the ASA that any traffic from a given source subnet gets translated to a specified public IP.

The easiest setup (and most common) is to have your five internal subnets on 5 different VLANs on a L3 switch. The gateway for each subnet is an SVI on the switch. The switch has a sixth subnet that connects it to the ASA and the ASA inside address is the default route for the switch.

Say your internal subnets are 192.168.1.0/24 through 192.168.5.0/24. ASA interfaces are named inside and outside.

object network vlan2_public
 host 81.209.115.102
object network vlan2
 subnet 192.168.2.0 255.255.255.0
 nat (inside,outside) static vlan2_public

..and so forth for VLANS 3-5.

Since you want to use the existing outside interface address for one VLAN (say VLAN 1), it uses a slightly different configuration and can be done as follows:

nat (inside,outside) after-auto source dynamic any interface

That will also handle any other internal subnets you might add in the future.

@kubn2 - thanks for your input 

 

@Marvin Rhoads  My internal subnet plans are exactly like what you have specified. 

Makes more sense now.  Only confusion is how would I configure my outside interfaces - this is how i would have it please let me know if this is the right way or not..

interface GigabitEthernet1/1
nameif Inside_1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
description STATE Failover Interface
!
interface GigabitEthernet1/7
description LAN Failover Interface
!
interface GigabitEthernet1/8
nameif Outside
security-level 0
ip address 81.209.115.101 255.255.255.248
!
interface GigabitEthernet1/8.102
vlan 102
nameif TEST1
security-level 0
ip address 81.209.115.102 255.255.255.248
!
interface GigabitEthernet1/8.103
vlan TEST2
nameif TEST2
security-level 0
ip address 81.209.115.103 255.255.255.224

 

 

 

 

You don't give the outside secondary or subinterface configurations. Just the single interface IP is assigned under config-if.

The other NAT addresses are automatically assigned to the outside based on the facts that:

a. the nat statements say (inside,outside) and

b. the assigned addresses are ones that would normally use the outside interface for egress - either because they're part of a connected network (which they are) or are reachable via the ASA's routing table.

If/when you use subinterfaces is when the connection from the ASA is a trunk (802.1q). We almost never see that on an ASA outside interface. Sometimes I've seen people use it on the inside when they want the ASA to be the gateway for multiple subnets and don't want to use multiple physical interfaces for that.

@Marvin Rhoads @kubn2  Thank you for the reply .. I will be more specific in what needs to achieved , as now i have started to configure.

So if we can just look at the GUEST network and make that work I can then replicate to the others aka BLACK,WHITE,BROWN

I have a 24 Port  layer 3 Switch with VLANS Similar to the ASA interfaces VLAN..with IP addresses set accordingly - Im guessing i do not need to trunk ? it should just work as the ASA is configured native vlan.

An Example of my requirement which will make more sense :-

1- I plug in a machine on a port on the Switch on the GUEST VLAN ( a link from the GUEST VLAN is going to interface 0/5 on the ASA also on the same VLAN) 

2- I want that machine to get DHCP from the ASA 

3- It has to have the public IP as per config below (GUESTWAN-8.161.119.237)

Is my connection from the Switch to the ASA right?

Then comes NAT/ACL's where I need help :o I sincerely appreciate any help :) 

ASA Version 9.1(2)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 8.161.119.133 255.255.255.248
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.50
vlan 50
nameif BLACK
security-level 100
ip address 192.168.50.254 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.90
vlan 90
nameif WHITE
security-level 100
ip address 192.168.90.254 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.70
vlan 70
nameif BROWN
security-level 100
ip address 192.168.70.254 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
description Guest network
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5.80
vlan 80
nameif GUEST
security-level 100
ip address 192.168.80.254 255.255.254.0
!
interface Management0/0
management-only
nameif managment
security-level 0
ip address 192.168.100.100 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name wifi.local
object network BLACKWAN
host 8.161.119.234
description BLACK
object network WHITEWAN
host 8.161.119.235
description WHITE
object network BROWNWAN
host 8.161.119.236
description BROWN
object network GUESTWAN
host 8.161.119.237
description Guest
object network GUEST-Inside
subnet 192.168.80.0 255.255.254.0
object network BLACK-Inside
subnet 192.168.50.0 255.255.255.0
object network WHITE-Inside
subnet 192.168.90.0 255.255.255.0
object network BROWN-Inside
subnet 192.168.70.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any object GUEST-Inside
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network GUEST-Inside
nat (GUEST,Outside) static GUESTWAN
access-group Outside_access_in in interface Outside
!
dhcpd address 192.168.80.3-192.168.80.243 GUEST
dhcpd enable GUEST
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 6
subscribe-to-alert-group configuration periodic monthly 6
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cbb2fa37e5ae6946462449f62baa195a
: end

 


 

Your proposed configuration has trunking configured. That's only necessary if you need to transport multiple logical VLANs with their associated IP traffic on the same physical interface.

So get rid of that and do something like this:

interface GigabitEthernet0/5
description Guest network
nameif GUEST
security-level 100
ip address 192.168.80.254 255.255.254.0

Then cable one physical switch port to each ASA physical interface that's in use for your internal VLANs / subnets.

 

Your outside interface (8.161.119.133 255.255.255.248) is not in the same subnet as the assigned static NAT addresses. That's OK as long as your provider knows to expect those addresses and will route traffic to them back to your ASA.

 

Your NAT rules should look something like this:

object network GUEST-Inside
  subnet 192.168.80.0 255.255.254.0
  nat (GUEST,outside) dynamic GUESTWAN

They are "Dynamic PAT with AutoNAT. You can see a comprehensive description of the various types with configuration examples here:

https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/#dynamicpat

 

Why do you want to allow all traffic from the Internet inbound to your Guest subnet? That's not advisable. Return traffic for sessions initiated internally will automatically be allowed since the ASA is a stateful firewall and keeps track of TCP sessions and UDP flows.

@Marvin Rhoads @Marvin Rhoads  The connection between the ASA and SW worked great after getting rid the VLAN and following your advise.

According to ISP-

8.161.119.232/29

Default Gateway:            8.161.119.238

Usable IPs:                        8.161.119.233-237

Subnet Mask:                    255.255.255.248

I have NAT'ed as per your advise and no joy - *PACKET TRACER - Nat-xlate-failed

From the ASA-Outside int I can ping the gateway(.238) and .233 address .. nothing else.

I do not want traffic inbound I was just trying different settings.

Your outside interface config says:

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 8.161.119.133 255.255.255.248

Did you mean for it to be .233?

Hi sorry I meant it to be .233

OK. So the IP was incorrect. Given that, what's the correct current configuration and what are you trying to packet-trace?

What was failing to ping (source IP and location and destination address)?

Ping through an ASA firewall does not work by default. You need to add icmp inspection. Ping is generally not a good test to use with firewalls since it is connectionless and stateless It may succeed while a stateful protocol like tcp fails due to asymmetric routing or other factors.

Just tried - packet-tracer input Outside icmp 192.168.80.254 0 1 8.161.119.237 xml and got error:

nat-no-xlate-to-pat-pool) Conneciton PAT address without pre-existing xlate

 

Current Config:

 

ASA Version 9.1(2)

xlate per-session deny BLACKp any4 any4

xlate per-session deny BLACKp any4 any6

xlate per-session deny BLACKp any6 any4

xlate per-session deny BLACKp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

!

interface GigabitEthernet0/0

 nameif Outside

 security-level 0

 ip address 8.161.119.233 255.255.255.248

!

interface GigabitEthernet0/1

 nameif BLACK

 security-level 100

 ip address 192.168.50.254 255.255.255.0

!

interface GigabitEthernet0/2

 

 nameif WHITE

 security-level 100

 ip address 192.168.90.254 255.255.255.0

!

interface GigabitEthernet0/3

 

 nameif BROWN

 security-level 100

 ip address 192.168.70.254 255.255.255.0

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 

 nameif GUEST

 security-level 100

 ip address 192.168.80.254 255.255.254.0

!

interface Management0/0

 management-only

 nameif managment

 security-level 0

 ip address 192.168.1000.100 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

 domain-name wifi.local

object network BLACKWAN

 host 8.161.119.234

 description BLACK

object network WHITEWAN

 host 8.161.119.235

 description WHITE

object network BROWNWAN

 host 8.161.119.236

 description BROWN

object network GUESTWAN

 host 8.161.119.237

 description Guest

object network GUEST-Inside

 subnet 192.168.80.0 255.255.254.0

object network BLACK-Inside

 subnet 192.168.50.0 255.255.255.0

object network WHITE-Inside

 subnet 192.168.90.0 255.255.255.0

object network BROWN-Inside

 subnet 192.168.70.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

 service-object ip

 service-object BLACKp

 service-object icmp echo-reply

object-group icmp-type ICMP

 icmp-object echo-reply

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object GUEST-Inside

access-list GUEST_access_in extended permit ip any any

!

object network GUEST-Inside

 nat (GUEST,Outside) dynamic GUESTWAN

access-group Outside_access_in in interface Outside

access-group GUEST_access_in in interface GUEST

!

dhcpd address 192.168.80.2-192.168.80.253 GUEST

dhcpd enable GUEST

!

 

You should try:

packet-tracer input GUEST icmp 192.168.80.1 0 1 8.161.119.238 xml

The input nameif should be where the source address would be expected to originate. It should also be a host - not the ASA interface address. We can never originate traffic from an ASA interface that has a different egress interface. The destination address should be something upstream of the ASA - next hop or something in the Internet for example. Putting in the NAT address will never result in a good reply since you cannot connect to or successfully ping your own public IP from your private IP.

You didn't have icmp inspection on according to your initial config posted so I assume it's still not there. Without that, actual pings will never work (although packet-tracer would since it only analyzes the outbound traffic and doesn't verify return traffic).

Review Cisco Networking for a $25 gift card