cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
718
Views
0
Helpful
18
Replies

2 IP Blocks on Cisco ASA 5506

josua27176
Level 1
Level 1

Hello,

I am trying to setup two IP Blocks on my firewall. I had done two static routes both making them default aswell as the configuration here: https://gyazo.com/c9b79b758fddf76b88a37558a559823e As you can see the route is setup but the routes arent being established correctly both inbound and out. The NAT's are setup correctly here is a packet trace showing where i think the issue lies https://gyazo.com/4a5e58423614e503b2a6f19326efe77d as you can see under the route lookup its going to a gateway of .209 when the IP the NAT is set too is a .133 I don't what else to do I have tried many things thanks for your help!

Thanks,

Josh

18 Replies 18

Philip D'Ath
VIP Alumni
VIP Alumni

If the two blocks are being routed to your ASA, and you only plan to NAT from them to hosts inside, you should not be adding any static routes related to them.  You should just have a normal default route pointing to your next hop.

But they both have two different Gateways

So you have two different providers or two different circuits?

Our provider has both IP Blocks available on the one line

So how come there are two different default gateways then - one provider and one circuit?

I dont know I just know both of them have two different gateways.

> x.x.x.208 = Network

> x.x.86.209 = Router (Your GW)

> x.x.86.210 = VRRP Router 1

> x.x.86.211 = VRRP Router 2

^one Block

{} ['208.x.x.131/27']

> 208.x.x.128 = network

> 208.x.x.129 = gateway

> 208.x.x.130 = vrrp 1

> 208.x.x.131 = vrrp 2

This is going to make for quite a complicated configuration, as you have to use PBR (policy based routing) to make this work.

I'm not sure we can make this work using pure NAT either.  You might have to put one of the blocks onto a separate interface, not using NAT.

Can you ask your provider if they can just give you one bigger block with just one default gateway?  This will make the configuration much simpler for you.

Yes I can ask.

How would it work though if I can't.

You would define a default route pointing to the first default gateway for the first block, and then define a PBR for the second block to re-route traffic from the source of the second block to the second default gateway.

You need to be running very new software on the ASA to get this feature.

I have the latest software do you have a screen shot example on how it would be configured in the ASDM

I'm not sure in the ASDM.  In the CLI something like:

access-list new_block extended permit ip 208.x.x.128 255.255.255.224 any

route-map new_block permit 10
match ip address new_block
set ip next-hop 208.x.x.129

interface <outside interface>
policy-route route-map new_block

With this would I need 2 outside interfaces like two separate lines going in because I don't want the original IP's to be effected.

No you would only need one outside interface.

Review Cisco Networking for a $25 gift card