Solved: Re: Cisco ASA 5505 - Multiple IP on Outside Interface

m.ramsgaard · ‎03-24-2011

Hi all.

I am new to this Cisco world, but am trying to learn it.

I have a setup with a Cisco ASA5505 that have 3 VLANS.

1 = Outside = XXX.XXX.XXX.XXX is the Interface IP and YYY.YYY.YYY.YYY is another IP from ISP)

2 = LAN 1 = AAA.AAA.AAA.AAA (SMTP, HTTP forwarded on XXX.XXX.XXX.XXX)

3 = LAN 2 = BBB.BBB.BBB.BBB (SMTP, HTTP forwarded on YYY.YYY.YYY.YYY)

LAN 1 and LAN 2 need to go through Outside for Internet, but don't need to have access to each other. (2 different Domains)

Everything is working with internet access, mail servers, web servers etc etc through the ASA.

But when Mail server on LAN 1 want's to send SMTP (Or HTTP) to Mail server on LAN 2 through the Internet, then I get the following error on the ASA.

Deny TCP reverse path check from XXX.XXX.XXX.XXX to YYY.YYY.YYY.YYY on interface outside

I have then tried to disable Anti-Spoofing on the outside interface and then I get the following error:

Deny IP spoof from (XXX.XXX.XXX.XXX) to YYY.YYY.YYY.YYY on interface outside

Other mail servers on the Internet can send and receive SMTP to each of the mail servers but they can't send to each other through the Internet on the outside interface.

What am I doing wrong?

Do I need to have each Internet IP on it's own outside VLAN, so that I get 2 outside VLAN's? OR is it possible on one interface?

Best regards

Ramsgaard

padatta · ‎03-25-2011

Hi,

This is by design and totally expected. On ASA we cannot access second interface via a third one.

However, we can use destination NAT to achieve this.

We'll need the exact port forwarding commands between LAN1 and LAN2 interface, except that it will be something like:

static (LAN1,LAN2) ..... or static (LAN2,LAN1) .....

With acls in place, we can control what kind of traffic flows between the interfaces. Here is an example.

interface vlan1

nameif outside

ip address 10.1.1.1 255.255.255.0

sec 0

interface vlan2

nameif lan1

ip address 10.2.2.1 255.255.255.0

sec 100

interface vlan3

nameif lan2

ip address 10.3.3.1 255.255.255.0

sec 100

route outside 0 0 10.1.1.2

static (lan1,outside) tcp interface 25 10.2.2.10 25

static (lan1,outside) tcp interface 80 10.2.2.10 80

static (lan2,outside) tcp 10.1.1.5 25 10.3.3.10 25

static (lan2,outside) tcp 10.1.1.5 80 10.3.3.10 80

access-l outin permit tcp any interface outside eq 25

access-l outin permit tcp any interface outside eq 80

access-l outin permit tcp any host 10.1.1.5 eq 25

access-l outin permit tcp any host 10.1.1.5 eq 80

access-group outin in interface outside

Now we can try the following additional commands for smtp/http traffic between lan1 & lan2.

same-security-traffic permit inter-interface

static (lan1,lan2) tcp 10.1.1.1 25 10.2.2.10 25

static (lan1,lan2) tcp 10.1.1.1 80 10.2.2.10 80

static (lan2,lan1) tcp 10.1.1.5 25 10.3.3.10 25

static (lan2,lan1) tcp 10.1.1.5 80 10.3.3.10 80

Paps

View solution in original post

padatta · ‎03-25-2011

Hi,

This is by design and totally expected. On ASA we cannot access second interface via a third one.

However, we can use destination NAT to achieve this.

We'll need the exact port forwarding commands between LAN1 and LAN2 interface, except that it will be something like:

static (LAN1,LAN2) ..... or static (LAN2,LAN1) .....

With acls in place, we can control what kind of traffic flows between the interfaces. Here is an example.

interface vlan1

nameif outside

ip address 10.1.1.1 255.255.255.0

sec 0

interface vlan2

nameif lan1

ip address 10.2.2.1 255.255.255.0

sec 100

interface vlan3

nameif lan2

ip address 10.3.3.1 255.255.255.0

sec 100

route outside 0 0 10.1.1.2

static (lan1,outside) tcp interface 25 10.2.2.10 25

static (lan1,outside) tcp interface 80 10.2.2.10 80

static (lan2,outside) tcp 10.1.1.5 25 10.3.3.10 25

static (lan2,outside) tcp 10.1.1.5 80 10.3.3.10 80

access-l outin permit tcp any interface outside eq 25

access-l outin permit tcp any interface outside eq 80

access-l outin permit tcp any host 10.1.1.5 eq 25

access-l outin permit tcp any host 10.1.1.5 eq 80

access-group outin in interface outside

Now we can try the following additional commands for smtp/http traffic between lan1 & lan2.

same-security-traffic permit inter-interface

static (lan1,lan2) tcp 10.1.1.1 25 10.2.2.10 25

static (lan1,lan2) tcp 10.1.1.1 80 10.2.2.10 80

static (lan2,lan1) tcp 10.1.1.5 25 10.3.3.10 25

static (lan2,lan1) tcp 10.1.1.5 80 10.3.3.10 80

Paps

m.ramsgaard · ‎03-25-2011

Hi Paps,

It was just as I thought :-)

Thank you for your reply. I will look into the suggestion that you send.

Best regards,

Ramsgaard