05-04-2010 02:55 AM - edited 03-11-2019 10:40 AM
Hello guys.
I have asa5510 sec plus.
Im new to cisco.
WAN IP: 77.68.136.96 - 77.68.136.102
Is it possible to send traffic from internal host like: 192.168.10.31 out through another WAN ip than the one bound to interface "outside" ?
I tried it with this command:
nat (dmz) 2 192.168.10.31 255.255.255.255
global (outside) 2 77.68.136.97 netmask 255.255.255.255
nat (dmz) 3 192.168.10.40 255.255.255.255
nat (dmz) 3 192.168.10.41 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255
and so on
But it doesnt seem to work.. actually the hosts cannot acces the internet at all.. outside interface level 0, dmz interface level 90, so theres n o need to make accesslist from DMZ to outside, right?
05-04-2010 02:59 AM
Definitely can. What you have configured is correct.
Just have to make sure that proxy arp is enabled on the outside interface.
Just check: "sh run sysopt" output, if you don't see "sysopt noproxyarp outside" command, that means proxy arp is enabled.
Also perform "clear xlate" after you configure the NAT/Global pair statements.
If you have no access-list assigned to DMZ interface, traffic from DMZ to outside will be allow by default. If you have configured an access-list on DMZ interface, you would need to explicitly allow traffic from DMZ to outside.
05-04-2010 03:06 AM
Okay, so why should proxy arp be enabled ?
Thanks
05-04-2010 03:11 AM
Because those are virtual ip addresses that are not assigned to any interfaces, therefore it needs to have ARP resolution, and it would resolve to the ASA outside interface mac address when proxy arp is enabled so the router in front of the ASA can reach it.
05-04-2010 03:34 AM
05-04-2010 03:41 AM
OK, first of all, you can use overlapping public ip address for both static statement and global statement.
As per config for example: 77.68.136.97 has been used on static port address redirection statement, so you can't use 77.68.136.97 for your global statement.
---> so use a unique public ip address for your global statement.
Secondly, from the config, it seems that you have a lot of NAT statements. Traffic matches the NAT statement from top to bottom, not the longest ip address/subnet matches. If you do "sh run nat", you would see the list of NAT statement, and the order of how you configure it on the ASA would be the first match.
05-04-2010 03:51 AM
The reason why i have a lot of nat statements is because i have a lot of servers on the DMZ wich have different wan ip's applied to them, and therefore port 25 traffic to ip .98 is forwarded to the host that the .98 ip is attached to, the same with .99 ip and so on.
Maybe there is a better way to handle this?
We are a small hosting provider and we host terminalservers and exchangeservers, and each customer have it own virtual server, and wan ip. You get the point...
05-04-2010 04:13 AM
Yes, I understand what you are trying to achieve.
However, on ASA, public ip that has been assigned to static statement, can not be assigned to the global statement. They can't overlap.
And in regards to the NAT statements, as mentioned earlier, it works top to bottom. So if you have the following list for example ("sh run nat" order - order as you configured the nat statements):
nat (dmz) 100 192.168.10.0 255.255.255.0
nat (dmz) 2 192.168.10.31 255.255.255.255
nat (dmz) 3 192.168.10.40 255.255.255.255
If traffic is sourced from 192.168.10.31 for example, it will match the first nat statement instead of the second nat statement because nat is matched from top to bottom, ie: it will match line 1 first - "nat (dmz) 100 192.168.10.0 255.255.255.0".
If you would like traffic to match the second nat statement for traffic sourcing from 192.168.10.31, then you would need to remove the first line and reapply the first line, because when you remove the nat and reapply the line, it will be added to the bottom of the NAT list.
For example: if you remove "nat (dmz) 100 192.168.10.0 255.255.255.0", and reapply the same statement, the order from the above list will be as follows:
nat (dmz) 2 192.168.10.31 255.255.255.255
nat (dmz) 3 192.168.10.40 255.255.255.255
nat (dmz) 100 192.168.10.0 255.255.255.0
Then traffic sourcing from 192.168.10.31 will now match the first line "nat (dmz) 2 192.168.10.31 255.255.255.255"
05-04-2010 05:13 AM
Ok i see.
May i return when i have fixed my conf? So you can read it before i apply, and take down out old router?
05-04-2010 05:20 AM
Sure..
05-04-2010 07:09 AM
05-07-2010 12:42 AM
Hey - did you have the time to verify my conf is correct ?
Regards Mikkel
05-07-2010 02:16 AM
To start with, you don't need these 2 route statements:
route inside 192.168.0.0 255.255.255.0 192.168.0.1
route dmz 192.168.10.0 255.255.255.0 192.168.10.1
For the NAT statements, please send the output of the following:
sh run nat
sh run static
sh run global
As mentioned, the order needs to be as how you enter the NAT line into the configuration, therefore the output of the above will show.
And please also confirm that you are trying to achieve the following as per your original post:
nat (dmz) 2 192.168.10.31 255.255.255.255
global (outside) 2 77.68.136.97 netmask 255.255.255.255
nat (dmz) 3 192.168.10.40 255.255.255.255
nat (dmz) 3 192.168.10.41 255.255.255.255
global (outside) 3 77.68.136.98 netmask 255.255.255.255
05-17-2010 05:00 AM
Allright im back.
Im trying to apply my config, but it fails different places.
First:
(trying to send everything else that does not match rules out through wan interface)
nat (dmz) 100 192.168.10.0 255.255.255.0
global (outside) 100 interface
ERROR: global for this range already exists
Second:
ciscoasa(config)# static (dmz,outside) tcp 77.68.136.32 25 192.168.10.34 25 ne$
ciscoasa(config)# static (dmz,outside) tcp 77.68.136.33 25 192.168.10.34 25 ne$
ERROR: duplicate of existing static
TCP DMZ:192.168.10.34/25 to outside:77.68.136.32/25 netmask 255.255.255.255
Why am i reciving that error ? It occours after first static rule is applied. Im trying to send traffic from different wan ip's (port 25) into out spamgateway..
Best regards Mikkel
05-17-2010 05:21 AM
Yes, you already have "global (outside) 1 interface", so you can't configure two global statements to use the same ip address (interface). Hence you are getting the error when applying "global (outside) 100 interface"
For the static statements, you can't configure static port address redirection for the same port (TCP/25) and same internal/private ip address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide