04-16-2015 06:45 AM - edited 03-11-2019 10:47 PM
Hello all,
we have a Little Problem with our Public Subnets on our main Cisco ASA 5510.
Following Situation:
We get 2 different Subnets provided on the same Ethernet Switch from our Provider.
Just like:
- Subnet 1 11.11.11.0/28
- Subnet 2 22.22.22.0/28
each subnet has its own Provider Gateway.
We actual use only the first Subnet on our Cisco ASA5510. In this subnet is the Interface IP from the ASA and we have a Default route to the Providers Gateway. We also use some more IPs from this first Subnet to NAT them for webservers etc. to internal devices. All of this is working fine.
But now we have that Situation that we must use the second subnet too on that same Cisco ASA for Static NAT, because we have to add more Internet Services.
I know that this was for a little test running in the past (2 years ago) but now it isn´t any more. ( I try to configure Static Network Object Rule for the Internal IP and that Firewall rules)
When I configure another complete different Device (for example another Cisco ASA5505) with the second subnet and plug it into the same "Public" Switch the second subnet is working fine. So I know that we can use the second public subnet on that Switch.
Did somebody have a solution for this? What is my fault? Will I Need some more Routes for this?
Thanks a lot.
Florian
Solved! Go to Solution.
04-17-2015 02:00 AM
Hi Florian,
Looking at current topology, it would be important to understand the entry point of traffic destined for 22.22.22.0/28. If the traffic is coming on Radio link and since the network 22.22.22.0/28 is directly connected on your ISP router, so traffic will be attempted to pass through an arp for 22.22.22.22.7. Since this host doesn't exist so no one is going to reply.
However, we can still make it work if "simple switch" (radio link) connected to two ASA 5510 is in the same vlan as 11.11.11.0/28,but, you would not like to configure that way because if traffic is coming to ASA5510 for this network from radio link will not work.
So the question is, how we can make traffic for 22.22.22.7 come from Fiber link. In this case it becomes complicated because some traffic for 22.22.22.0/28 needs to come from fiber and some from radio.
In such situation, I would have rather asked by ISP to decommission Radio link and use only Fiber link and let traffic come from it for both Network (There can be other solutions to like working out with ISP to break 22.22.22.0/28 into other half and distribute across two links,or making them to configure specific routes to next hop as ASA5510 IP address,etc ).
On ASA the static NAT will prompt it to proxy even for 22.22.22.0/28 , you just need to make sure that "arp permit-nonconnected" is enabled if ASA version is 8.4.5 and later.
04-16-2015 07:25 AM
Hi Florian,
What is the software version on ASA5510?
There are two scenarios that you can try, however, only one is the correct and Cisco's suggested way.
1) You can use your second subnet on the same interface of the ASA with static NAT, however in that case you cannot use the second IPS gateway but you will need to pass traffic on current IPS. So you will need to discuss with second ISP to advertise their subset from current ISP. ASA's proxy arp feature will take care of your NAT portion.
This is because you cannot configure secondary IP address on the ASA's interface.
2) You can configure dual ISP scenario. In this case you can use the track statemnet on your primary default route and use the secondary IP gateway with some higher administrative distance.
However, the problem with this is that, you can use your ISP2 only for inbound traffic for your static NAT statement. So if you don't have a static NAT this will not work, however officially Cisco doesn't advise for such config.
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html
Thanks
04-16-2015 10:50 PM
Hi all again! Thanks for all the answers!
I´m sorry for my late answer now, but I´m writing from Germany.
I think about all of your answers. A VLAN on Outside Interface is not a good Option, because I don´t want to discuss this with my Provider.
I make a Little Chart from my Situation, because the two subnets are from the same ISP and not different lines.
@ Pranay: Your first Option seems a good idea and I think I want to do the same, but I don´t know why this is not working, or could there be something wrong?
Thanks a lot again and please have a look at my attached Chart.
04-17-2015 02:00 AM
Hi Florian,
Looking at current topology, it would be important to understand the entry point of traffic destined for 22.22.22.0/28. If the traffic is coming on Radio link and since the network 22.22.22.0/28 is directly connected on your ISP router, so traffic will be attempted to pass through an arp for 22.22.22.22.7. Since this host doesn't exist so no one is going to reply.
However, we can still make it work if "simple switch" (radio link) connected to two ASA 5510 is in the same vlan as 11.11.11.0/28,but, you would not like to configure that way because if traffic is coming to ASA5510 for this network from radio link will not work.
So the question is, how we can make traffic for 22.22.22.7 come from Fiber link. In this case it becomes complicated because some traffic for 22.22.22.0/28 needs to come from fiber and some from radio.
In such situation, I would have rather asked by ISP to decommission Radio link and use only Fiber link and let traffic come from it for both Network (There can be other solutions to like working out with ISP to break 22.22.22.0/28 into other half and distribute across two links,or making them to configure specific routes to next hop as ASA5510 IP address,etc ).
On ASA the static NAT will prompt it to proxy even for 22.22.22.0/28 , you just need to make sure that "arp permit-nonconnected" is enabled if ASA version is 8.4.5 and later.
04-17-2015 02:48 AM
I think here is a wrong understanding. the fiber and Radio Link is loadbalanced by the Provider automatically and complete transparent.
So the Provider handle all this traffic internal for himself. The subnets are complete (each one) on every ISP router available, so on my simple Switches I can use each subnet it is not relevant on which i would use it.
But I will test your last commend because the asa is running 9.1(4)
Because I think the ASA don´t accept the incomming arp requests.
arp permit-nonconnected
Thanks at first.
04-17-2015 04:50 AM
Hello all,
I learn a lot new for this Proxy ARP and all about ARP.
Now I get it at first running, I think it was a solution with Proxy Arp and perhaps the last command.
I also find another good solution on this page. It explains good the arp Permit-nonconnected command:
http://www.tunnelsup.com/arping-for-non-connected-subnets-on-a-cisco-asa
I have to take a look on it for the next few days, because I hope this is not a temporary running solution.
Florian
04-16-2015 10:17 AM
You can try this.
You can set the switchport on the switch as a trunk. Then you can use VLAN subinterfaces on the ASA. Then you can have multiple routed interfaces using the vlans on the switch. You can now gave NAT statements for your new subinterfaces. This is the reason why it works with the 5505. Because it uses VLAN virtual interfaces.
04-16-2015 10:25 AM
Hi Andre,
He is talking about two ISP. How can he put specific routes coming from two ISP on ASA?
Even when we will configure sub-interface, they will still be considered two separate interface, like ISP1 and ISP2 as nameif.
04-16-2015 10:40 AM
route outside1 11.11.11.0 255.255.255.240 <gateway>
route outside2 12.12.12.0 255.255.255.240 <gateway>
Can that perhaps work with 1 default gateway? I'm just thinking about the solution :-)
04-16-2015 10:42 AM
He said that it works with the 5505. Then it doesn't seem to be a Default Route problem.
04-16-2015 11:14 AM
route outside1 11.11.11.0 255.255.255.240 <gateway>
route outside2 12.12.12.0 255.255.255.240 <gateway>
These two statements mean routing out to these two subnets from ASA.
While I guess these two networks have to be represented on interface of ASA.
This is what Florian has to say
"But now we have that Situation that we must use the second subnet too on that same Cisco ASA for Static NAT, because we have to add more Internet Services."
04-16-2015 11:16 AM
Florian
One other possible alternative.
If you are using the new IPs just for static NAT then you could use a second interface and use PBR to send traffic from the servers you are translating to the new IPs to the correct ISP so traffic coming in and going out uses the correct ISP.
PBR support was added in version 9.4 and has just been released.
No idea how well it works but it is an alternative if one ISP won't advertise the others block to you.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide