Multiple Public Class C Addresses on External Interfaces use Both for Mapping?

stownsend · ‎01-21-2013

We have two non adjecent Class C Addresses from our ISP, we will call them 200.200.200.0/24 and 201.201.201.0/24. We started to Migrate from a PIX 515UR to an ASA5510 ( Software Version 8.3(2) )

.

The PIX was using the 200 Subnet, we then used the ASA with the 201 Subnet. Moving over Public Mapped Servers gave us some issues. You could Hit the server with a Request and it would get the request from the Proper IP, though it would send out the reply with an IP from the other Subnet.

When Internal Machine 10.1.0.10 goes to wahtismyip.com it returns an address from the 201.201.201-NAT-POOL, not the Address that I gave it from the 200.200.200.0/24 subnet.

Is there anything I can do to make it so the users that use the firewall to get out get an address from the 201.201.201-NAT-POOL and the servers that I define with a 1-to-1 mapping use that address that I mapped?

Without having ASA for each Subnet, is there a way to use both of my Subnets on the Same ASA?

The ASA is configured as Follows:

interface Ethernet0/0

description 200 Network Outside IP

nameif outside-200

security-level 0

ip address 200.200.200.2 255.255.255.0

!

interface Ethernet0/1

description 201 Network Outside IP

nameif outside-201

security-level 0

ip address 201.201.201.2 255.255.255.0

!

interface Ethernet0/2

description inside

nameif inside

security-level 100

ip address 10.1.0.3 255.255.0.0

!

[...snip...]

object network 200.200.200-NAT-POOL

range 200.200.200.190 200.200.200.225

object network 201.201.201-NAT-POOL

range 201.201.201.50 201.201.201.239

[...snip...]

nat (inside,outside-200) source static 10.1.0.10 200.200.200.10

nat (inside,outside-200) source dynamic any 200.200.200-NAT-POOL interface

nat (inside,outside-201) source dynamic any 201.201.201-NAT-POOL interface

[...snip...]

object network 10.1.0.10

nat (inside,outside-200) static 200.200.200.10

[...snip...]

route hbg-outside-201 0.0.0.0 0.0.0.0 201.201.201.1 1

route hbg-outside-200 0.0.0.0 0.0.0.0 200.200.200.1 2

[...snip...]

Thanks!

Jouni Forss · ‎01-22-2013

Hi,

Are you saying that

You have the same LAN connected to 2 different firewalls at the moment?
Both firewalls are using separate public address range/subnet for their "outside"

Wouldnt this mean that without Policy Based Routing (PBR) on the LAN there would be problem with which firewall (and therefore public IP address range/subnet) the users were going to use? For example connection from "outside" comes through PIX using its public IP address range and Static NAT configurations, however the traffic routes from the LAN host to the ASA and again gets NATed to different public IP address. Though I'd imagine this traffic wouldnt go through since the ASA wouldnt have seen the initial connection (unless you have avoided this with somekind of tcp state bypass configuration which to my understanding is possible on an ASA)

Also when just looking at the firewall configuration. There is no real need to use separate interfaces for the public IP address ranges since they come from the same ISP. Though naturally I can't know what the complete setup is but commonly a situation like this would have an ISP managed router (with switch module) or L3 switch in front of the firewalls and they would have a single Vlan interface which would have both of the public IP address ranges configured under it. Other as the primary interface IP address and other with the parameter/keyword "secondary" after the network mask.

The firewalls "outside" interface could be configured using public IP address from either range. The other remaining public IP address range could be used for NAT on the firewalls as usual. Even though they dont belong to the "outside" interface configured subnet.

If the situation is actually so that ASA is the only device used at the moment then I would imagine that overlapping NAT rules or NAT rule order is causing strange behaviour with traffic. Static NAT though should pretty much override almost any other NAT rule in the new software (especially since you have configured it the above way. I'm not sure why the same Static NAT is configured twice though)

Can you confirm what the current setup is regards the LAN routing and firewalls in use?

Hopefully I made any sense

- Jouni

stownsend · ‎01-22-2013

I believe I understand most of what you said. Yes, we do have an Edge Router, the Internal GE Port on it has two VLANs Configured. One for the 200 Subnet and one for the 201 Subnet. Its Connected to a L3 VLAN Switch that then pipes out the VLANs to untagged Ports which then connect to the two Firewalls. The PIX only has the 200 Subnet Connected to it. The ASA has both the 200 and the 201 Subnet connected to it.

The Internal LAN has two L3 Switches that are set as Gateways. So 10.1.1.1 is set to have its default Gateway to the PIX and 10.1.1.2 is set to have its Default Gateway to the ASA. If the Server is Mapped with a 200 Address externally, then its Gateway is set to the 10.1.1.1 L3 Switch. Everything else is using 10.1.1.2 as its Default Gateway and is then mapped to a 201 External Address.

I want to get rid of the PIX and just have the one ASA. Though It seems like I cannot have the ASA allow me to have External Addresses from Both Subnets.

If I change the route statements so the Metric is reversed and the 200 Subnet is Higher Metric, then All of the internal Clients get 200 External Addresses.

Does that make more sense?

Edge Router is Configured as Follows:

interface GigabitEthernet0/1

description Public IP Gateway to ComCast Fiber

no ip address

duplex full

speed auto

media-type rj45

no mop enabled

!

interface GigabitEthernet0/1.2

encapsulation dot1Q 204

ip address 200.200.200.1 255.255.255.0

no ip redirects

!

interface GigabitEthernet0/1.3

encapsulation dot1Q 198

ip address 201.201.201.1 255.255.255.0

no ip redirects

!