02-25-2015 02:45 PM - edited 03-11-2019 10:33 PM
We have two Class C Public Address subnets. We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B). Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet. So they are receiving packets on their (A) Address, though replying to them with a (B) address.
It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound.
So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool.
Public IP: 192.168.1.100/24
Internal IP: 10.0.0.100/16
Public IP: 192.168.5.101/24
Internal IP: 10.0.0.101/16
interface Ethernet0/0 description 192.168.1.0/24 Network Outside IP nameif outside-1 security-level 0 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/1 description 192.168.5.0/24 Network Outside IP nameif outside-5 security-level 0 ip address 192.168.5.1 255.255.255.0 ! interface Ethernet0/2 description inside 10.0.0.0/16 nameif inside security-level 100 ip address 10.0.0.1 255.255.0.0 object network serverA_o host 192.168.1.100 object network serverA_i host 10.0.0.100 object network serverB_o host 192.168.5.101 object network serverB_i host 10.0.0.101 object network 192-168-1-NAT-POOL range 192.168.1.50 192.168.1.239 nat (inside,outside-1) source static serverA_i serverA_o nat (inside,outside-5) source static serverB_i serverB_o nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface object network serverA_i nat (inside,outside-1) static serverA_o object network serverB_i nat (inside,outside-5) static serverB_o route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1 route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
Any Suggestions?
Thanks!
02-26-2015 05:42 AM
I'm not sure I follow.
Firstly why have you got multiple entries for the same servers eg. -
nat (inside,outside-5) source static serverB_i serverB_o
and
object network serverB_i
nat (inside,outside-5) static serverB_o
as to why it is using the NAT pool that is because your default route pushes all traffic via the outside-1 interface and because serverB doesn't have a matching static statement for that interface it matches the NAT pool instead.
All traffic on your firewall will use the outside-1 because that default route has the lower AD and so is the one in the routing table.
It can't use the other route because it won't be in it's routing table.
You are using different next hop IPs for the default routes. Does this mean they are different ISPs or you have a different next hop router ?
If it is the same ISP and same next hop you don't need to assign any 192.168.5.x IPs to interfaces you can just use them in your NAT statements.
Can you clarify about the public IP blocks and the ISP(s) ?
Jon
02-26-2015 11:19 AM
Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
We have a Single ISP, though have 2 separate non-Contiguous Class C Addresses from them. We host some Servers on one subnet and some on the other.
I'm looking for a way to use both Subnets on the same ASA.
The Connection to the net looks like this:
Internet -> Edge Router Layer3 VLAN Switch GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged GE0/1.2 - 192.168.5.1 VLAN Tagged -^ Layer3 VLAN Switch Firewall GE1 192.168.1.0/24 Untagged -> ASA Outside-1 GE2 192.168.5.0/24 Untagged -> ASA Outside-5 Firewall ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
02-26-2015 11:48 AM
You don't need to have two interfaces if it is the same ISP.
You have created two interfaces with vlan tagging to the ISP router but you only need one interface.
The new 192.168.5.x IPs you just use for NAT.
That way all traffic uses outside-1 as the interface and you don't have this issue with two default routes.
If you are keeping your old IPs as well as the new ones then it is even easier, just get the ISP to add a route to their router for the 192.168.5.x subnet pointing to your outside interface IP.
Jon
02-26-2015 01:33 PM
Thank you for your reply. Both Subnets have Public Accessible Services on them. So we need to be able to have access to both Subnets.
The ASA (Currently hosting the 192.168.1.x IPs )and PIX (hosting the 192.168.5.x IPs) are only hosting a portion of the Publicly accessible IPs in the two Subnets. There are other Physical devices on each of the Subnets between the Edge Router and the ASA/PIX. So having the Edge router have a Route to the ASA's Outside Interface for one of the Subnets does not seem like an option.
Thank you,
02-26-2015 01:58 PM
Do these other devices need to be accessed from your internal networks using their public IPs ?
You can leave the ISP router with an interface in both networks but i still don't think your ASA needs one and in fact you don't want it to because of the two default routes.
If the ISP has an interface in both networks it will send an arp request for any IP within those networks. Your ASA should respond for any IPs it has configured with static NAT because it uses proxy arp.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide