cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1317
Views
0
Helpful
4
Replies

Using two External Subnets, One incoming one Outgoing?

stownsend
Level 2
Level 2

I have two Publick Subents and I wanted to use one for incoming traffic to Publick Facing Servers (DNS, Web, Mail, etc) then use the other for Outbopund traffic from other devices within the network.

1.1.1.0/28 is the Incoming

2.2.2.0/28 is the Outgoing

This is a partial Config, though I have a few Questions,

     Do I need:   nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface

     For the Servers that are on the 1.1.1.0/28 network and Need to get to the net, the Default route is the 2.2.2.0/28 Subnet, though the Edge Router has Multiple Subinterfaces defined, so it handles both subnets. Is it going to slow things down be having the 2.2.2.0/28/ default route with the lower metric? Is there a way to define a default route based on the Source Address?

    When I do a show xlate some of the internal devices will sometimes have both a 1.1.1.0/28 and a 2.2.2.0/28 address, though when querying whatismyip.com its always a 2.2.2.0/28 address unless its a NATed Network Object.

Thanks!

interface Ethernet0/0
nameif outside-1
security-level 0
ip address 1.1.1.2 255.255.255.240
!
interface Ethernet0/1
nameif outside-2
security-level 0
ip address 2.2.2.2 255.255.255.240
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.1.0.1 255.255.0.0
!
nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface
nat (hbg-inside,hbg-outside-2) source dynamic any 2.2.2-NAT-POOL interface

object network server1_i
nat (inside,outside-1 static server1_o
object network server2_i
nat (inside,outside-1 static server2_o
object network server3_i
nat (inside,outside-1 static server3_o

route hbg-outside-2 0.0.0.0 0.0.0.0 2.2.2.1 1

route hbg-outside-1 0.0.0.0 0.0.0.0 1.1.1.1 10

4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

With

nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface
nat (hbg-inside,hbg-outside-2) source dynamic any 2.2.2-NAT-POOL interface

Any host behind the inside will be translated to 111 pool (fallback the outside1 interface ip) when going out the outside1 interface.

And when going out the outside2, they will look like 222 pool (fallback the outside2 interface ip).

So, it all depends on routing. If routing says you will go out outside1 you will look like 1111, if routing says outside2 is the interface you will go out one than you will look like the other pool.

I hope it explains it.

PK

Sort of....

So since I have :

route hbg-outside-2 0.0.0.0 0.0.0.0 2.2.2.1 1

route hbg-outside-1 0.0.0.0 0.0.0.0 1.1.1.1 10

They will get the 2.2.2.0/28 address from nat (hbg-inside,hbg-outside-2) source dynamic any 2.2.2-NAT-POOL interface since that is the lower Metric Default Route.

If 2.2.2.1 is not accessible then they will get the 1.1.1.0/28 from nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface

Since 2.2.2.1 and 1.1.1.1 are the Same Physical Interface, if one goes down so will the other, so having the second route statement in there is kind of pointless.

I just want to be sure that I can have my Incoming servers with Static NAT mapping to the 1.1.1.0/28 subnet and have all of the outgoing devices use the 2.2.2.0/28 subnet for everthing else.

The other thing that is confusing me is I have a Server with a Static Mapping:

object network 10.1.0.5
  nat (inside,outside-1) static 1.1.1.5

When I do a Show xlate I see the Following:

NAT from inside:10.1.0.5 to outside-1:1.1.1.5

    flags s idle 0:00:03 timeout 0:00:00

NAT from hbg-inside:10.1.0.5 to outside-1:1.1.1.8 flags i idle 1:55:14 timeout 3:00:00
NAT from hbg-inside:10.1.0.5 to outside-2:2.2.2.7 flags i idle 1:55:14 timeout 3:00:00

So the First one is from the static Mapping, why are there 2 more?  Why isn't it using the static mapping external IP?  Why is it grabbing an IP from each pool?

Thanks,

The other two are probably old ones before the static. See that they are idle for 2 hours. They will timeout in 1h, or you can clear them.

Please mark this as answered if it is, for other users' future benefit.

Rgs,

PK

I'm not sure that is it. I've cleared the xlate many times and have rebooted, the static NAT has been there from the get go.

Here are two other enties in the xlate table, they are not Static. why would they each have an address from both Subnets?

NAT from inside:10.1.0.8 to hbg-outside-1:1.1.1.194 flags i idle 0:27:51 timeout 3:00:00
NAT from inside:10.1.0.8 to hbg-outside-2:2.2.2.205 flags i idle 0:23:17 timeout 3:00:00

NAT from inside:10.1.0.6 to hbg-outside-1:1.1.1.191 flags i idle 0:27:52  timeout 3:00:00
NAT from inside:10.1.0.6 to hbg-outside-2:2.2.2.114 flags i idle 0:02:43  timeout 3:00:00

Do I need the following lines if the only machines with the 1.1.1.0/28 address are Static NAT?

nat (hbg-inside,hbg-outside-1) source dynamic any 1.1.1-NAT-POOL interface
route hbg-outside-1 0.0.0.0 0.0.0.0 1.1.1.1 10

Review Cisco Networking for a $25 gift card