Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2699
Views
0
Helpful
16
Replies

Multiple outside interface on Cisco ASA5512 version 9.5(1)

johnbloods
Level 1
Level 1

‎02-04-2020 11:05 PM

Hi, I would need some assistance on how to configure 2 outside interface. Each ISP (outside) interface have /28 IP Address and the other one is /30 IP Address. My intention is to put the servers behind the FW so each ISP is related to one of the inside (server) interface so it's not failover connection for the outside interface. PFA network diagram for better understanding. Each server needs to access bidirectional connections like the Internet, RDP and block some ports. There's 1 server does have a dedicated public IP /30 I need to connect to FW to set some limitation on the ports. I'm trying to simulate it using our spare ASA5512 but I'm having a hard time to make it work. I don't know if it's doable or not. Please advise. thanks 

 

 

interface GigabitEthernet0/0
nameif outside <---- (ISP 1)
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside-2
security-level 100
ip address 10.0.0.1 255.255.240.0
!
interface GigabitEthernet0/2
nameif outside-1 <--- (ISP 2)
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/3
nameif inside-3
security-level 100
ip address 172.16.1.1 255.255.255.0

 

object network Server-1
host 10.0.0.2
object network Server-2
host 172.168.1.15
access-list OUT_IN extended permit tcp any host 10.0.0.2 eq www
access-list OUT_IN extended permit tcp any host 10.0.0.2 eq 3389
access-list OUT_IN extended deny icmp any any echo

 

object network Server-1
nat (inside-2,outside) static x.x.x.x <---- Next available public IP for /28
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 (Facing to ISP 1 Interface) 1

Labels:
Preview file
56 KB
0 Helpful
16 Replies 16

johnbloods
Level 1
Level 1
In response to bhargavdesai

‎02-14-2020 12:03 AM

Hi, the Internet is working fine based on the configuration you suggested that is shown on the network diagram (attached) but the only concern is what is the correct configuration on ACL, NAT, Network Object/Service to be able outside network to access the inside network (server-2) to permit it like SSH, Telnet, RDP and so on and to deny some ports. 

Preview file
46 KB
0 Helpful

bhargavdesai
Spotlight
Spotlight
In response to johnbloods

‎02-14-2020 12:36 AM

First of all, According to your diagram image the IP address configured on the interface Gig 0/0 (OUTSIDE) is wrong. 199.98.9.12 255.255.255.252 is a network ID and usable IP address are 199.98.9.13 and 199.98.9.14. On the other hand the default gateway you configured 199.98.9.11 which is outside this IP range and Broadcast IP for the earlier subnet 199.98.9.8/30 so not usable.

I would suggest you to first resolve/clear this IP configuration issues.

The NAT is configured to NAT WWW traffic only.
The ACL is configured to allow WWW and RDP traffic.
The given configuration is correct to allow WWW services to forward on the 172.16.1.15 (subject to rectified IP configuration. )
If you want to allow more services you can create multiple NAT rules and update the ACL accordingly.

Still having issue, PM me I will help you online remotely.

H2H
### RATE ALL HELPFUL RESPONSES ###
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card