Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
0
Replies

NAT different VLANs out different interfaces - ASA 5520 (9.1.7)

Kuzuri
Level 1
Level 1

‎07-12-2018 07:30 PM - edited ‎02-21-2020 07:58 AM

 

Hello everyone, thank you for taking the time to read this.  I am the lucky owner of a Cisco ASA 5520 that I got for my home network on my birthday.  I'm pretty green when it comes to this stuff so please forgive me if I am making a rookie mistake.

 

What I am trying to do seemed like it should be theoretically possible in my head, but I can't for the life of me get it to work.  Let me try and describe what I am trying to do.

 

Topology:

 

ASA 5520:

  1. g0/0 - Verizon uplink
  2. g0/1 - Trunk from Catalyst for 3 VLANs
    1. g0/1.10 - Inside VLAN
    2. g0/1.11 - Malware analysis VLAN
    3. g0/1.12 - Blockchain/mining VLAN
  3. g0/2 - ExpressVPN uplink
  4. g0/3 - Unused

Catalyst 3560G:

  1. g0/1-g0/16   VLAN 10
  2. g0/17-g0/32 VLAN 11
  3. g0/33-g0/47 VLAN 12
  4. g0/48 Trunks all VLANs to ASA g0/1

 

Nutshell version: I have a Verizon Fios (outside) uplink in g0/0 and an ExpressVPN (expressvpn) uplink on g0/2.  I am trying to NAT my inside subnet out g0/0 and my malware analysis and blockchain subnets out g0/2.

 

Everything works fine if I NAT the subnets to the g0/0 (outside) interface, but it will not work if I try and NAT any of the subnets out g0/2 (expressvpn).

 

In the name of full disclosure, I am doing some hokey stuff with the ExpressVPN link.  That link comes from a Linksys WRT3200ACM that has a 24/7 VPN tunnel running to ExpressVPN and anything that connects to it's inside network is tunneled over the VPN.

 

The stupid part is I don't have two internet connections, I'm actually connecting the Linksys' WAN to the inside VLAN and it's being sent out g0/0 (Verizon) for the establishment of the VPN tunnel, then I'm connecting the ASA's g0/2 to it's inside network so it goes out of the VPN tunnel.

 

You can yell at me, I know this is some stupid hackery, but it works.  Rather, worked until I tried to duplicate the behavior with the ASA.

 

I've included what I think is the relevant portions of my running-config.  So, if you haven't bought a plane ticket to come punch me in the face yet, do you see what I'm doing wrong?

 

Thank you in advance!

 

object network inside
 subnet 10.10.10.0 255.255.255.0
 description Internal subnet
object network malware
 subnet 10.10.11.0 255.255.255.0
 description Malware analysis subnet
object network mining
 subnet 10.10.12.0 255.255.255.0
 description Blockchain subnet
!
interface GigabitEthernet0/0
 description Verizon Fios uplink
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.10
 description Internal network
 vlan 10
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.11
 description Malware network
 vlan 11
 nameif malware
 security-level 80
 ip address 10.10.11.1 255.255.255.0
!
interface GigabitEthernet0/1.12
 description Blockchain network
 vlan 12
 nameif mining
 security-level 90
 ip address 10.10.12.1 255.255.255.0
!
interface GigabitEthernet0/2
 description ExpressVPN uplink
 nameif expressvpn
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
object network inside
 nat (inside,outside) dynamic interface
object network malware
 nat (malware,expressvpn) dynamic interface
object network mining
 nat (mining,expressvpn) dynamic interface

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card