cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3943
Views
0
Helpful
11
Replies

Two Provider Subnets on same Interface/VLAN Cisco ASA - how to use second subnet for NAT?

Florian Ostkamp
Beginner
Beginner

Hello all,

we have a Little Problem with our Public Subnets on our main Cisco ASA 5510.

Following Situation:

 

We get 2 different Subnets provided on the same Ethernet Switch from our Provider.

Just like:

- Subnet 1       11.11.11.0/28

- Subnet 2        22.22.22.0/28

each subnet has its own Provider Gateway.

We actual use only the first Subnet on our Cisco ASA5510. In this subnet is the Interface IP from the ASA and we have a Default route to the Providers Gateway. We also use some more IPs from this first Subnet to NAT them for webservers etc. to internal devices. All of this is working fine.

 

But now we have that Situation that we must use the second subnet too on that same Cisco ASA for Static NAT, because we have to add more Internet Services.

I know that this was for a little test running in the past (2 years ago) but now it isn´t any more. ( I try to configure Static Network Object Rule for the Internal IP and that Firewall rules)

When I configure another complete different Device (for example another Cisco ASA5505) with the second subnet and plug it into the same "Public" Switch the second subnet is working fine. So I know that we can use the second public subnet on that Switch.

 

Did somebody have a solution for this? What is my fault? Will I Need some more Routes for this?

 

Thanks a lot.

 

Florian

 

 

 

 

1 Accepted Solution

Accepted Solutions

Hi Florian,

Looking at current topology, it would be important to understand the entry point of traffic destined for 22.22.22.0/28. If the traffic is coming on Radio link and since the network 22.22.22.0/28 is directly connected on your ISP router, so traffic will be attempted to pass  through an arp for 22.22.22.22.7. Since this  host doesn't exist so no one is going to reply.

 

However, we can still make it work if "simple switch" (radio link) connected to two ASA 5510 is in the same vlan as 11.11.11.0/28,but, you would not like to configure  that way because if traffic is coming to ASA5510 for this network from radio link will not work. 

 

So the question is, how we can make traffic for 22.22.22.7 come from Fiber link. In this case it becomes complicated because some traffic for 22.22.22.0/28 needs to come from fiber and some from radio.

 

In such situation, I would have rather asked by ISP to decommission Radio link and use only Fiber link and let traffic come from  it for both Network (There can be other solutions to like working out with ISP to break 22.22.22.0/28 into other half and distribute across two links,or making them to configure specific routes to next hop as ASA5510 IP address,etc ). 

 

On ASA the static NAT will prompt  it to proxy even for 22.22.22.0/28 , you just need to make sure that "arp permit-nonconnected" is enabled if ASA version is 8.4.5 and later.

View solution in original post

11 Replies 11

Pranay Prasoon
Participant
Participant

Hi Florian,

What is the software version on ASA5510?

There are two scenarios that you can try, however, only one is the correct and Cisco's suggested way.

 

1) You can use your second subnet on the same interface of the ASA with static NAT, however in that case you cannot use the second IPS gateway but you will need to pass traffic on current IPS. So you will need to discuss with second ISP to advertise their subset from current ISP. ASA's proxy arp feature will take care of your NAT portion.

 

This is because you cannot configure secondary IP address on the ASA's interface.

 

2) You can configure dual ISP scenario. In this case you can use the track statemnet on your primary default route and use the secondary IP gateway with some higher administrative distance.

 

However, the problem with this is that, you can use your ISP2 only for inbound traffic for your static NAT statement. So if you don't have a static NAT this will not work, however officially Cisco doesn't advise for such config.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html

 

Thanks

 

 

Hi all again! Thanks for all the answers!

I´m sorry for my late answer now, but I´m writing from Germany.

 

I think about all of your answers. A VLAN on Outside Interface is not a good Option, because I don´t want to discuss this with my Provider.

 

I make a Little Chart from my Situation, because the two subnets are from the same ISP and not different lines.

 

@ Pranay: Your first Option seems a good idea and I think I want to do the same, but I don´t know why this is not working, or could there be something wrong?

 

Thanks a lot again and please have a look at my attached Chart.

 

 

Hi Florian,

Looking at current topology, it would be important to understand the entry point of traffic destined for 22.22.22.0/28. If the traffic is coming on Radio link and since the network 22.22.22.0/28 is directly connected on your ISP router, so traffic will be attempted to pass  through an arp for 22.22.22.22.7. Since this  host doesn't exist so no one is going to reply.

 

However, we can still make it work if "simple switch" (radio link) connected to two ASA 5510 is in the same vlan as 11.11.11.0/28,but, you would not like to configure  that way because if traffic is coming to ASA5510 for this network from radio link will not work. 

 

So the question is, how we can make traffic for 22.22.22.7 come from Fiber link. In this case it becomes complicated because some traffic for 22.22.22.0/28 needs to come from fiber and some from radio.

 

In such situation, I would have rather asked by ISP to decommission Radio link and use only Fiber link and let traffic come from  it for both Network (There can be other solutions to like working out with ISP to break 22.22.22.0/28 into other half and distribute across two links,or making them to configure specific routes to next hop as ASA5510 IP address,etc ). 

 

On ASA the static NAT will prompt  it to proxy even for 22.22.22.0/28 , you just need to make sure that "arp permit-nonconnected" is enabled if ASA version is 8.4.5 and later.

I think here is a wrong understanding. the fiber and Radio Link is loadbalanced by the Provider automatically and complete transparent.

So the Provider handle all this traffic internal for himself. The subnets are complete (each one) on every ISP router available, so on my simple Switches I can use each subnet it is not relevant on which i would use it.

 

But I will test your last commend because the asa is running 9.1(4)

Because I think the ASA don´t accept the incomming arp requests.

arp permit-nonconnected

 

Thanks at first.

 

 

 

Hello all,

 

I learn a lot new for this Proxy ARP and all about ARP.

Now I get it at first running, I think it was a solution with Proxy Arp and perhaps the last command.

I also find another good solution on this page. It explains good the arp Permit-nonconnected command:

http://www.tunnelsup.com/arping-for-non-connected-subnets-on-a-cisco-asa

 

 I have to take a look on it for the next few days, because I hope this is not a temporary running solution.

 

Florian

 

Andre Neethling
Enthusiast
Enthusiast

You can try this. 

You can set the switchport on the switch as a trunk. Then you can use VLAN subinterfaces on the ASA. Then you can have multiple routed interfaces using the vlans on the switch. You can now gave NAT statements for your new subinterfaces.  This is the reason why it works with the 5505. Because it uses VLAN virtual interfaces. 

Hi Andre,

He is talking about two ISP. How can he put specific routes coming from two ISP on ASA?

 

Even when we will configure sub-interface, they will still be considered two separate interface, like ISP1 and ISP2 as nameif.

 

route outside1 11.11.11.0 255.255.255.240 <gateway>

route outside2 12.12.12.0 255.255.255.240 <gateway>

 

Can that perhaps work with 1 default gateway? I'm just thinking about the solution :-)

He said that it works with the 5505. Then it doesn't seem to be a Default Route problem.

route outside1 11.11.11.0 255.255.255.240 <gateway>

route outside2 12.12.12.0 255.255.255.240 <gateway>

 

These two statements mean routing out to these two subnets from ASA.

While I guess these two networks have to be represented on interface of ASA.

 

This is what Florian has to say

"But now we have that Situation that we must use the second subnet too on that same Cisco ASA for Static NAT, because we have to add more Internet Services."

Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend

Florian

One other possible alternative.

If you are using the new IPs just for static NAT then you could use a second interface and use PBR to send traffic from the servers you are translating to the new IPs to the correct ISP so traffic coming in and going out uses the correct ISP.

PBR support was added in version 9.4 and has just been released.

No idea how well it works but it is an alternative if one ISP won't advertise the others block to you.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: