Hi Jouni,

The setup is partially legacy, and we are consolodating several off-site proxies into one area.

I think what you are saying is I have no need for multiple IPs.  I can take my multiple "inside" networks and push them out over one IP.  Then I would use Policy NAT to seperate which inside PC went to which final destination.   Is that what you are saying?

I would prefer to have my Inside1 network as isolated as possible from my Inside2 network.   Inside1 will be general internet, Inside2 will be important financial information.

Can I have general internet traffic use one IP address, and have the financial information come in on another?

Thanks.

Hi,

If you have a small public subnet on your current "outside" interface on the ASA then theres nothing stopping you from giving each of your internal LAN networks their own public NAT IP address with which they are visible to the Internet. This can be done by configuring Dynamic PAT.

Naturally if you have 2 different LAN networks (interfaces) on the ASA then there is also nothing stopping you from completely blocking the traffic between these 2 LAN segments (interfaces)

If you wish so, you are naturally also able to use the remaining public IP addresses for Static NAT for the different hosts/servers behind your ASAs LAN interfaces. That is if you need to provide connectivity to some of your servers through the Internet.

I am still not 100% sure on how you want to setup the ASA and your network.

- Jouni

Hi:-

          i think you need the config below ??????

interface GigabitEthernet0/1
description 802.1q Trunking Interface for test networks

no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.2
description Test Subnet 1

vlan 2
nameif test1

security-level 90
ip address 10.1.1.254 255.255.255.0

interface GigabitEthernet0/1.3
description Test Subnet 2 vlan 3
nameif test2
security-level 80
ip address 10.1.2.254 255.255.255.0

I hope the above config help you.....??

Bye

Thanks Jouni,

I do have a small subnet of public addresses on the outside, lets say 50.50.50.1 - 50.50.50.7.

How can I take advantage of the six usable addresses?   There  are no secondary addresses on the ASA.   And I can't configure six outside interfaces, since they are all in the same subnet.   That is my basic problem.

Many thanks.

Hi,

You cant split that single subnet to several interfaces on the ASA as you say. Also notice that if you have an /29 subnet then it means you will have 8 IP address of which 5 are USABLE.

• 1 IP address is the subnet/network address and CANT BE USED
• 1 IP address needs to be used for the gateway of that network and CANT BE USED on the ASA
• 1 IP address is the broadcast IP address of the subnet/network and CANT BE USED

So as you can see, you can only use 5 public IP addresses

The only situation on an ASA where you could possibly split even those 5 IP addresses to 5 different interfaces would be to configure the ASA in Multiple Context mode.

This would essentially mean virtualizing your ASA and configure 5 virtual firewalls in that single hardware. Then you could share the same "outside" interface on each virtual firewall and have different public IP address for each firewall. This would also essentially provide the isolation that you want between the local network. Ofcourse provided that the network behind the ASA isnt tied together also.

Though, while the virtual firewall might suite your needs better in your situation (if I understood your needs correctly) it would most probably mean that you would have to get additional licenses from Cisco to enable those features. You can confirm the support for Security Contexts with the "show version" command on the ASA. It should list the amount provided your ASA supports them.

- Jouni

Thanks again Jouni.  

Is there a way to use the multiple internet addresses? 

Is Policy-Nat going to help me here, where Inside1 uses one internet address, and Inside2 uses another?

I'm still confused on how Policy-Nat works, and I've looked at three examples in the textbooks.

Thanks.

Hi,

You can naturally give different local network different public IP address towards the Internet

For example lets say you have

• 2 local networks 10.10.10.0/24 and 10.10.20.0/24
• 2 interfaces called "lan-1" and "lan-2"
• 1 wan interface called "wan"

And the requirement is that all the hosts on each local network should be PATed to their own public IP address

Then you could configure

ASA 8.2 and older software level

global (wan) 10 1.1.1.1

global (wan) 20 1.1.1.2

nat (lan-1) 10 10.10.10.0 255.255.255.0

nat (lan-2) 10 10.10.20.0 255.255.255.0

ASA 8.3 and newer software level

object-group network LAN-1-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

object-group network LAN-2-PAT-SOURCE

network-object 10.10.20.0 255.255.255.0

object network PAT-IP-1

host 1.1.1.1

object network PAT-IP-2

host 1.1.1.2

nat (lan-1,wan) after-auto source dynamic LAN-1-PAT-SOURCE PAT-IP-1

nat (lan-2.wan) after-auto source dynamic LAN-2-PAT-SOURCE PAT-IP-2

The above would configure Dynamic PAT using different public IP addresses for each LAN

Naturally you can also configure Static NAT for your servers in addition to this if you need.

But as I said I am not completely sure of your setup and its requirements.

- Jouni

One last question: what would the WAN interface configuration look like?

That's where I get confused.

Thanks.

I think I got it.   This is a tremendous help.  Will give it a shot in the lab and will close the trail soon.

Thanks again.

Hi Jouni,

can I also use to different RIPE blocks at the same interface wan?

We setup the new ASAv on ESXi and our servers are currently using multiple smaller RIPE Blocks (8 to 16 IPs). As we want to move the servers behind the firewall, I added them as "Public Server" for testing purposes.

This only works if the servers are using an IP address of the same RIPE Block as the wan interface of the ASAv.

Can we using some routing to use a different gateway for an other RIPE Block?

Currently, I have added following static routes:

route wan 0.0.0.0 0.0.0.0 xxx.xxx.100.1 1

route wan xxx.xxx.xxx.200 255.255.255.248 xxx.xxx.xxx.206 1

xxx.xxx.100.1 => Gateway of first RIPE Block

xxx.xxx.xxx.200 => Network of second RIPE Block

xxx.xxx.xxx.206 => Gateway of second RIPE Block

Otherwise, I have to get a new and bigger RIPE Block and exchange all the public IP of our current servers.

Thanks

Patrick

Hi,

I forgot to mention that we're using a OVH VRack.

https://docs.ovh.com/gb/en/dedicated/ip-block-vrack/

Thanks

Patrick