Cisco ASA Bridge interface

nickwenos · ‎06-13-2013

I have an internet connection with a block of 5 static IPs.

I have a ASA5505 connected direct to the modem. I assigned the first usable to my WAN port, the other 4 I use to NAT/PAT traffic to inside services (email, RDP, etc.). I have typicall nat and firewall setup in place. The LAN port on my ASA connects directly to my switch. My LAN IP is 192.168.0.1

I am switching to a new internet connection, I still require 5 static IPs but I am being assigned a new block.

My ISP provided me with 2 sets of IPs, one they labeled WAN, the other they labeled LAN. Both are public IPs, for example

WAN

IP: 123.123.123.100

subnet: 255.255.255.252

Gateway: 123.123.123.99

LAN:

IP: 124.124.124.100 - 104

Subnet: 255.255.255.252

Gateway: 124.124.124.99

i configured my ASA with the WAN IP (123.123.123.100) and was able to access the interent. However, I don't know how I can use the LAN IPs. I was told that I need to setup a bridge or transparent bridge but I am unfamiliar with how to do this. Can anyone tell me how or give an example?

Jan Rolny · ‎06-13-2013

Hello Nick,

what ISP probably mean is transparent mode of your ASA. But this feature is introduced from 8.4(1) version of ASA

If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups. You can configure up to 8 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.

Note Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2 data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1 bridge group.

We introduced the following commands: interface bvi, bridge-group, show bridge-group

Please see this document and find "Configuring Bridge Groups"

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html

Best regards,

Jan

nickwenos · ‎06-14-2013

I don't think I want transparent firewall.

Thanks for the link but I don't really see how this helps me.

I'm not familiar with what this means "

If you do not want the overhead of security contexts, or want to maximize your use of security contexts" or how it even applies to what I need to do.

i was hoping that someone could provide me with an example of how to configure it.

mfurnival · ‎06-14-2013

If you are using NAT then it does not matter what you use on the LAN side of the firewall as the provider will have no visibility of this - you can use RFC 1918 private address space and hide it behind your public address. I don't know why your provider would call these WAN / LAN addresses - that makes no sense to me.

Are you sure they don't just mean that one address is meant for the firewall WAN interface and the other four can be used for virtual IPs?

nickwenos · ‎06-15-2013

Let me try to explain differently, I found out more info from the ISP.

The ISP has a generic addressing scheme that is the model they use for all customers. In some scenarios, the ISP has an IAD between the their modem and our router. In that scenario (using the same example IPs above), their IAD would get the IP address 123.123.123.100, then our ASA that sits behind their IAD would get the 124.124.124.100 address.

They only use the IAD when there is phone services on the line. In our scenario, we don't have phone services so they don't provide an IAD so instead our ASA would plug directly into their modem.

I think I could make this work if I got an additional router and assigned it the 123.123.123.100, then hooked the ASA to the new router and assigned 124.124.124.100 to the ASA. However, I've been told that I can eliminate the extra router if I can assign the 123.123.123.100 & the 124.124.124.100 both to the ASA and have a bridge between the 2. Then I will still use NAT and a private IP range for the LAN side.

Jan Rolny · ‎06-17-2013

Hello Nick,

i don't know what ISP want from you, but usual design is that ISP assign you some IP range or one public IP which you can assign to your OUTSIDE interface. Usually default GW of your ASA will be configured to next hop, what should be IP of ISP router. Then you can do whatever you want with your ASA. Assign INSIDE IP range for your LAN and ISP do not care what internal IP are behind your ASA.

I do not know what is meaning of LAN IP's what your ISP assign to you.

Maybe LAN IP(from ISP) are routed public IP's which you can use for NAT. So your ASA OUTSIDE interface wil have 123.123.123.100 address and your servers can have 124.124.124.100 - 104 addresses also public.

For example:

server1-192.168.1.10(your LAN) --> NAT 124.124.124.100(public)

server2-192.168.1.20(your LAN) --> NAT 124.124.124.101(public)

and so on...

Best Regards,

Jan

nickwenos · ‎06-17-2013

Thanks for you time.

i am aware of how a "typical" setup would work with a static IP on the WAN and private IPs on the LAN with NAT. If that's all it was, I wouldn't be asking this question.

you are corrent that both sets of IPs from the ISP are routed public IPs but it will not work to NAT the 2nd set like you described. Basically the ASA will have 2 separate WAN IPs, 123.123.123.100 and 124.124.124.100. These then need to be bridged together.

I haven't found a solution yet so it is likely that I will just end up sticking another router between the modem and the ASA. the router will get the 123.123.123.100 address and the ASA will get the 124.124.124.100 address.