Client has moved ISPs and has been provided two public IP blocks, a /29 "WAN block" and a /28 "LAN block". We initially utilized the single WAN IP provided by the ISP /29 "WAN block", but we now need to utilize additional public addresses made available via the ISP's /28 "LAN block". I would like some input on how we would implement the /28 public IP block with our existing configuration, basically chaning the NAT IPs from using the default single WAN ip to the provided /28 public ips for the network objects that have inbound open ports (smtp, webmail, etc.) and some that connect outbound (smtp). Redacted config follows. Any input would be greatly appreciated.
ASA Version 8.6(1)2
!
hostname pi
domain-name $$$$$$.$$$
enable password @@@@@@@ encrypted
passwd @@@@@@@@ encrypted
names
!
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address x.x.124.34 255.255.255.252
!
interface GigabitEthernet0/1
nameif LAN
security-level 100
ip address 192.168.0.253 255.255.255.0
!
interface GigabitEthernet0/2
nameif LANMAC
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
nameif GUEST
security-level 10
ip address 192.168.254.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup WAN
dns domain-lookup LAN
dns domain-lookup LANMAC
dns domain-lookup GUEST
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.0.240
name-server d.d.d.d
name-server d2.d2.d2.d2
domain-name $$$$$$.$$$
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network gwava_smtp
host 192.168.0.252
object network gwava_123
host 192.168.0.252
object network gwava_ssh
host 192.168.0.252
object network sanderling_https
host 192.168.0.241
object service gwavaRAS
service tcp destination eq 49282
object service sandRAS
service tcp destination eq 6523
object network gwava_ras
host 192.168.0.252
object network sanderling_ras
host 192.168.0.241
object service SSLvpn
service tcp destination eq 6666
object network NETWORK_OBJ_192.168.168.0_26
subnet 192.168.168.0 255.255.255.192
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network sanderling_https_nat
host 192.168.0.241
object network RSAPort5500
host 192.168.0.254
description RSA
object network RSAport7004
host 192.168.0.254
description RSA
object network RSAport7072
host 192.168.0.254
description RSA
object network WAN
host x.x.124.34
object network RSAServer
host 192.168.0.254
object service 7004
service tcp source eq 7004
object network RSAport7004_1
host 192.168.0.254
object network LANVPN_Network
subnet 192.168.168.0 255.255.255.0
description VPN Clients
object network Merganser
host 192.168.0.240
description Merganser DNS
object-group network BLOCKLIST
network-object host 95.213.157.141
network-object host 46.4.193.146
network-object host 65.15.88.243
network-object host 185.104.11.154
network-object host 185.104.9.39
object-group service RDP tcp
description Remote Desktop
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list WAN_access_in_1 extended permit udp any host 192.168.0.254 eq 5500
access-list WAN_access_in_1 extended permit tcp any host 192.168.0.254 eq 7072
access-list WAN_access_in_1 extended permit tcp any host 192.168.0.254 eq 7004
access-list WAN_access_in_1 extended permit tcp any object gwava_smtp eq smtp
access-list WAN_access_in_1 extended permit udp any object gwava_123 eq ntp
access-list WAN_access_in_1 extended permit tcp any object gwava_ssh eq ssh
access-list WAN_access_in_1 extended permit tcp any object sanderling_https eq https
access-list WAN_access_in_1 extended permit tcp any object sanderling_ras eq 6523
access-list WAN_access_in_1 extended permit tcp any object gwava_ras eq 49282
access-list WAN_access_in_1 extended permit object SSLvpn any any
access-list WAN_access_in_1 extended deny ip object-group BLOCKLIST any
access-list ****_Tunnel_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list global_access extended permit tcp 192.168.0.0 255.255.255.0 any eq www
access-list global_access extended permit ip 192.168.0.0 255.255.255.0 any
access-list global_access extended permit object-group TCPUDP object Merganser any eq domain
access-list global_access extended permit tcp object LANVPN_Network 192.168.0.0 255.255.255.0 object-group RDP
pager lines 24
logging enable
logging buffer-size 20000
logging buffered debugging
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu LANMAC 1500
mtu GUEST 1500
mtu management 1500
ip local pool ****_VPN 192.168.168.1-192.168.168.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (LAN,WAN) source static RSAport7004_1 interface service 7004 7004
nat (LAN,WAN) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static
NETWORK_OBJ_192.168.168.0_26 NETWORK_OBJ_192.168.168.0_26
!
object network gwava_smtp
nat (LAN,WAN) static interface service tcp smtp smtp
object network gwava_123
nat (LAN,WAN) static interface service udp ntp ntp
object network gwava_ssh
nat (LAN,WAN) static interface service tcp ssh ssh
object network gwava_ras
nat (LAN,WAN) static interface service tcp 49282 49282
object network sanderling_ras
nat (LAN,WAN) static interface service tcp 6523 6523
object network NETWORK_OBJ_192.168.168.0_26
nat (WAN,WAN) dynamic interface
object network sanderling_https_nat
nat (LAN,WAN) static interface service tcp https https
object network RSAPort5500
nat (LAN,WAN) static interface service udp 5500 5500
object network RSAport7072
nat (LAN,WAN) static interface service tcp 7072 7072
!
nat (LAN,WAN) after-auto source dynamic any interface
nat (LANMAC,WAN) after-auto source dynamic any interface
nat (GUEST,WAN) after-auto source dynamic any interface
access-group WAN_access_in_1 in interface WAN
access-group global_access global
route WAN 0.0.0.0 0.0.0.0 x.x.124.33 1
no snmp-server location
no snmp-server contact
dhcpd address 192.168.0.100-192.168.0.149 LAN
dhcpd dns 192.168.0.240 interface LAN
dhcpd domain $$$$$$.$$$ interface LAN
dhcpd enable LAN
!
dhcpd address 192.168.2.50-192.168.2.99 LANMAC
dhcpd dns 75.75.75.75 75.75.76.76 interface LANMAC
dhcpd enable LANMAC
!
dhcpd address 192.168.254.50-192.168.254.99 GUEST
dhcpd dns 75.75.75.75 75.75.76.76 interface GUEST
dhcpd enable GUEST
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:796c435fd57ac64dcbddd4f99159dafd
: end
pi#
