cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

new transit interface on firewall

suthomas1
Frequent Contributor
Frequent Contributor

Hi All,

Below is the set-up. we'r planning to implement the second firewall portion which will connect to the ASA on asa's lan interface.

internet == ASA == firewall 2 == LAN / Application servers

ASA interface configuration:-

inte e0/0 (outside) - connected to internet , 202.95.64.21

inte e0/1(inside) - connected to single server , 192.168.0.2 /24

inte e0/2(transit) - configured for connecting the second firewall , 192.168.1.11 /24

int e0/2 will connect to the second firewall. Second firewall will have ip 192.168.1.12 on its outside interface facing ASA.

Now, following are the requirements for server access:-

1. Outound -  Server 10.58.82.10 connected in the LAN needs to access an internet destination 203.12.12.12 for an ftp service

     But this destination 203.12.12.12 only recognises request from ip 202.95.64.27 ( which is an ip from our internet subnet )

2. Inbound  - Destination 203.12.12.12 access to 10.58.82.12 for sql service on port 1510

3. Outbound - Server 10.58.82.21 connected in LAN needs to acces internet destination 203.11.11.11 for an http service

   ( there is no restriction on the public ip it uses for this need )

Queries:-

1. int e0/2 is only created as an interface to connect the asa to the second firewall. will this work fine?

2. we'll be using static statements ; static ( transit, outside ) 203.12.12.12 10.58.82.10 to get requirement 1 working. Is this correct?

3. for requirement 2, how should it be configured?

4. how should requirement 3 be configured?

ASA will have a route for lan 10.58.x.x network on the transit interface to 192.16.1.12 and second firewall will have default route to 192.168.1.11.

Will this work well for my requirement, Please suggest with inputs.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

1. Yes, that is not a problem. You can configure e0/2 as a transit interface to the second firewall.

2. For requirement one, yes, you are correct if the server also accesses other destination IP address with the same NATed address, but your static NAT statement has incorrect IP address

It should be:

static (transit,outside) 202.95.64.27 10.58.82.10 netmask 255.255.255.255

Or you can configure NAT/global pair as well if that server only requires outbound access, not both:

access-list nat1 permit ip host 10.58.82.10 host 203.12.12.12

nat (transit) 10 access-list nat1

global (outside) 10 202.95.64.27 255.255.255.255

3. For requirement two, what public IP address do you want to use for the NAT? You can either use a spare if you like:

static (transit,outside) 202.95.64.2x 10.58.82.12 netmask 255.255.255.255

Then you would need to have ACL configured on the outside interface to permit the traffic:

access-list permit tcp any host 202.95.64.2x eq 1510

OR/ alternatively, you can also use the ASA outside interface IP:

static (transit,outside) tcp interface 1510 10.58.82.12 1510 netmask 255.255.255.255

And the ACL:

access-list permit tcp any interface outside eq 1510

4. For requirement three, you can just use the existing global that you already have configured on the ASA and configure a generic NAT statement for the whole 10.58.82.0/24 subnet:

nat (transit) 10.58.82.0 255.255.255.0

OR/ if you want to be more specific then:

nat (transit) 10.58.82.21 255.255.255.255

Hope the above helps.

View solution in original post

5 REPLIES 5

Jennifer Halim
Cisco Employee
Cisco Employee

1. Yes, that is not a problem. You can configure e0/2 as a transit interface to the second firewall.

2. For requirement one, yes, you are correct if the server also accesses other destination IP address with the same NATed address, but your static NAT statement has incorrect IP address

It should be:

static (transit,outside) 202.95.64.27 10.58.82.10 netmask 255.255.255.255

Or you can configure NAT/global pair as well if that server only requires outbound access, not both:

access-list nat1 permit ip host 10.58.82.10 host 203.12.12.12

nat (transit) 10 access-list nat1

global (outside) 10 202.95.64.27 255.255.255.255

3. For requirement two, what public IP address do you want to use for the NAT? You can either use a spare if you like:

static (transit,outside) 202.95.64.2x 10.58.82.12 netmask 255.255.255.255

Then you would need to have ACL configured on the outside interface to permit the traffic:

access-list permit tcp any host 202.95.64.2x eq 1510

OR/ alternatively, you can also use the ASA outside interface IP:

static (transit,outside) tcp interface 1510 10.58.82.12 1510 netmask 255.255.255.255

And the ACL:

access-list permit tcp any interface outside eq 1510

4. For requirement three, you can just use the existing global that you already have configured on the ASA and configure a generic NAT statement for the whole 10.58.82.0/24 subnet:

nat (transit) 10.58.82.0 255.255.255.0

OR/ if you want to be more specific then:

nat (transit) 10.58.82.21 255.255.255.255

Hope the above helps.

Thank you. Do we need to configure any access list or anything for the transit interface, based on the requirements above for the flow.

Transit interface has security level 90 , outside has 1 and inside is 100 currently.

thanks in advance!

If you haven't configured any ACL on transit interface, then NO, you don't need any ACL.

But if you already have an existing ACL then yes, you would need to add ACL on transit interface for outbound access.

For requirement 1:

access-list permit tcp host 10.58.82.10 host 203.12.12.12 eq 21

For requirement 3:

access-list permit tcp host 10.58.82.21 host 203.11.11.11 eq 80

Thanks Jennifer.

We tested this traffic.

The http service outbound from 10.58.82.21 to 203.11.11.11 is accessible & fine

However, the outbound from 10.58.82.10 to 203.12.12.12 on FTP service is not working fine.

I can see the traffic reaching the ASA based on the topology. The flags show me as saA in the connection table.

Since, at destination 203.12.12.12, it will only recognise request coming from 202.95.64.27 , static configuration as below

was put : static (transit,outside) 202.95.64.27 10.58.82.10 netmask 255.255.255.255

even after this the traffic for 203.12.12.12 is not working via the ASA. the service on that destination is active, as we have verified

this without the asa.

Please help.Thanks.

saA flag means that it is waiting for SYN-ACK from the outside host (server).

You can run packet tracer to see if it's passing through the ASA fine. I would check with the end host to see if it is seeing the SYN packet, or if it's responding at all.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: