cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1464
Views
0
Helpful
9
Replies

Cisco ASA 5510 ios 9.1.1. Separate external IP for each internal network.

Alexander Nosov
Level 1
Level 1

Greetings everybody!

I have ASA 5501 on 9.1.1 IOS

Also, I have three internal networks (internal1_lan, internal2_lan, wi-fi_lan) and two external ip-addresses (*.*.*.10 and *.*.*.11) provided by ISP.

I want that wi-fi_lan to use separate external ip.

internal1_lan and internal2_lan - *.*.*.10
wi-fi_lan - *.*.*.11

How can this be done?

ASA is in Routed mode.

9 Replies 9

I assume you want to use the existing external interface for this?  If so, make sure that your ISP has that IP routed towards your ASA's external interface and then use dynamic NAT to translate *.*.*.11 address to your wi-fi_lan subnet.

--
Please remember to select a correct answer and rate helpful posts

Marius, thank you for your answer!

I just can not understand how to make what you have described.

That is what i have now:

---------------------------------------------------------------------------------------------
interface Ethernet0/0
nameif External
security-level 0
ip address *.*.*.10 255.255.255.240
!
interface Ethernet0/1
nameif Internal1_lan
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
nameif Internal2_lan
security-level 95
ip address 10.0.10.1 255.255.255.0
!
interface Ethernet0/3
nameif wi-fi_lan
security-level 50
ip address 192.168.0.1 255.255.255.0
!

object network Adm1
nat (Internal1_lan,External) static interface service tcp 4512 45123

!
nat (Internal1_lan,External) after-auto source dynamic any interface
nat (Internal2_lan,External) after-auto source dynamic any interface
nat (wi-fi_lan,External) after-auto source dynamic any interface

------------------------------------------------------------------------------------------------

I tried to do so:

      no nat after-auto 3
      object network wi-fi_ext_ip
        host *.*.*.11
      nat (wi-fi_lan,External) after-auto 3 source dynamic any wi-fi_ext_ip

and the Internet on wi-fi interface was gone =(

Is there any specific reason why you are using the NATs after-auto?

Try to following configuration instead:

object network wi-fi_lan_ip

subnet 192.168.0.0 255.255.255.0

nat (wi-fi,External) source dynamic *.*.*.11

--
Please remember to select a correct answer and rate helpful posts

That is all because this is exists:

object network Adm1
nat (Internal1_lan,External) static interface service tcp 4512 45123

!
nat (Internal1_lan,External) after-auto source dynamic any interface
nat (Internal2_lan,External) after-auto source dynamic any interface
nat (wi-fi_lan,External) after-auto source dynamic any interface

If I set that rule after main NAT rules, it doesn't works.

Maybe this is not correct... but i don't know the other way to make it work.

so, i tried to do as you said:

gw-v(config)# object network wi-fi_lan_ip

gw-v(config-network-object)# subnet 192.168.0.0 255.255.255.0

gw-v(config-network-object)# nat (wi-fi,external) source dynamic *.*.*.11

ERROR: % Incomplete command

after that, I tried to do so:

gw-v(config-network-object)# exit

gw-v(config)# nat (wi-fi,external) source dynamic *.*.*.11

ERROR: % Incomplete command

gw-v(config)# nat (wi-fi,external) source dynamic *.*.*.11 ?

configure mode commands/options:
  WORD       Specify object or object-group name for mapped source
  interface  Specify interface NAT
  pat-pool   Specify object or object-group name for mapped source pat pool

my bad remove the source keyword

object network wi-fi_lan_ip

subnet 192.168.0.0 255.255.255.0

nat (wi-fi,External) dynamic *.*.*.11

--
Please remember to select a correct answer and rate helpful posts

remember that the nat statement should be nested under the object network wi-fi_lan_ip

--
Please remember to select a correct answer and rate helpful posts

Well, I tried to implement that configuration, but failed to get internet connection =(

Also I tried to do this in ASDM:

... failed again.

If I remove flag "Add Automatic Address Translation Rules" everything works fine, but on the same external ip.

Maybe there is any way to verify correctness of config?

I can give more info, just tell me what is necessary.

Hi,

To be honest the original configuration you had was pretty much the one I would have used. I prefer using Auto NAT for Static NAT and Static PAT while I use Manual NAT (Section 3) for the basic Dynamic PAT/NAT rules.

Naturally in that configuration you were still using the "interface" IP address rather than the other public IP address provided by your ISP

So you had this originally

nat (Internal1_lan,External) after-auto source dynamic any interface

nat (Internal2_lan,External) after-auto source dynamic any interface

nat (wi-fi_lan,External) after-auto source dynamic any interface

You would have needed to do this to change the "wi-fi_lan" Dynamic PAT address

object network PAT-x.x.x.11

host x.x.x.11

no nat (wi-fi_lan,External) after-auto source dynamic any interface

nat (wi-fi_lan,External) after-auto source dynamic any PAT-x.x.x.11

Naturally the "object" name can be anything you want it to be.

The above configuration should make it possible for the Wifi to have its own Dynamic PAT IP address when using the Internet.

You can confirm the translation by using the "packet-tracer" command on the CLI

packet-tracer input wi-fi_lan tcp 192.168.0.100 12345 8.8.8.8 80

The output should tell us what the Dynamic PAT translation IP address for this simulated connection/packet would be.

If the traffic is still PATing to the "interface" IP address there is a possibility that you have some overriding NAT rule on the firewall. Naturally its also possible that there is some problem on the ISP side. The "packet-tracer" command will tell if the configurations are correct.

- Jouni

Have you verified that the *.*.*.11 address is routed to the outside interface of the ASA, or is within the subnet of the outside interface IP?

Could you post a full configuration of your ASA (change any sensitive information contained within the configuration)

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card