cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2799
Views
0
Helpful
19
Replies

Connect IPS ASA5510 to CSC ASA5510

hnbbank01
Level 1
Level 1

Hello all,

I’m trying to figure out the best way to connect two ASA 5510’s together and have run into a bit of a snag.  I have two ASA 5510's, one has a CSC-SSM and will act as a Firewall, Antivirus and VPN (I'll call it the CSCASA) and the other has an AIP-SSM and will be solely used for IPS (I'll call it the IPSASA).

I had the CSCASA setup and working fine using PAT and tcp bypass (so I can get to my networks behind the MPLS) but now I want to put the IPSASA between my LAN and the CSCASA.  I know that I will have to move the tcp bypass settings and static routes over to the IPSASA.

The CSCASA Ethernet 0/0 will connect to my ISP, Ethernet 0/1 will connect to Ethernet 0/0 on the IPSASA.  Ethernet 0/1 on the IPSASA will connect to my LAN switch.  I would like to have all inbound traffic flowing through the IPSASA scanned by the IPS and outbound traffic not scanned.

We are using several different networks (all 192.168.xxx.0).  Some of these networks are remote offices that connect to our corporate network (192.168.120.0) through an MPLS network.  All Internet traffic will go through the 192.168.120.0 network and out the IPSASA and CSCASA.  I thought I would be able to assign CSCASA Ethernet 0/1 a 192.168.120.x address and IPSASA Ethernet 0/0 a 192.168.120.x address but I was not able to do this.  Cisco recommended I use a different address to connect these two interfaces so I am using 192.168.230.1 and 192.168.230.2 for the respective interfaces.

What is the proper way to handle NAT in a situation like this with two ASA's?  I can't see the point in having two devices performing NAT on traffic.  I tried using "nat (inside) 0 192.168.0.0 255.255.0.0 0 0" on the IPSASA but it doesn't seem to work.

Please let me know if I am way off base here.  Thanks for your help.

19 Replies 19

Hey Neil,

Can you also attach the entire output of the below:

packet-tracer input FW udp 192.168.251.2 514 192.168.100.112 514 detail

Regards,

Prapanch

Prapanch,

HNBASA55101# packet-tracer input FW udp 192.168.251.2 514 192.168.100.112 514

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.100.0   255.255.255.0   LAN

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group FW_access_in in interface FW
access-list FW_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (FW) 25 access-list CSC_to_Server outside
nat-control
  match ip FW host 192.168.251.2 LAN host 192.168.100.112
    dynamic translation to pool 25 (192.168.100.99 [Interface PAT])
    translate_hits = 4724, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.251.2/514 to 192.168.100.99/939 using netmask 255.255.255.255

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (FW) 25 access-list CSC_to_Server outside
nat-control
  match ip FW host 192.168.251.2 FW host 192.168.100.8
    dynamic translation to pool 25 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (LAN) 0 192.168.0.0 255.255.0.0
nat-control
  match ip LAN 192.168.0.0 255.255.0.0 FW any
    identity NAT translation, pool 0
    translate_hits = 2541, untranslate_hits = 0
Additional Information:

Result:
input-interface: FW
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi Neil,

I see where the problem lies. Dont know how i missed it all this while. Anyway, add the below commands and see if it fixes the issue:

static (LAN,FW) 192.168.100.8 192.168.100.8

static (LAN,FW) 192.168.100.10 192.168.100.10

static (LAN,FW) 192.168.100.38 192.168.100.38

static (LAN,FW) 192.168.100.112 192.168.100.112

I am assuming these are the only 4 servers. If there are more, you will need to add the same commands for them as well. Also, in future, as you add newer servers, you will need to add the same command for them as well.

You can avoid this by just simply removing the command "nat-control" and hence you can remove the command "nat (LAN) 0 192.168.0.0 255.255.0.0" as well.


You can try out either of the above options. Let me know how it goes!!

Regards,

Prapanch

Prapanch,

That worked!  Thank you very much for solving that one.  It was driving me nuts.

My only problem now is configuring my IPSec VPN.  I had it setup so that it would give out a 192.168.100.0 address when logging on VPN users but with that address range, I'm getting translation errors.  I'm going to work on that and see if I can figure it out now that you gave me so much information on how this thing works.

Thanks again for all of your help.

Neil

Hey Neil,

Glad that i could help. Please mark this post as Answered if all is resolved then.

Regards,

Prapanch

Review Cisco Networking for a $25 gift card