04-29-2019 04:32 PM
Hello,
I have an ASA5508-X and my ISP has provisioned our modem for multihoming. Could someone please explain the steps necessary to have the second IP on the public interface and how I can route all traffic from that WAN IP to an internal host?
I believe this would be a 1:1 NAT, I am using the GUI to configure the firewall.
Thank you in advance.
04-30-2019 12:40 AM
Hello,
the ASA does not support secondary IP addresses on a single interface, as far as I recall. So I guess you need another interface to configure this on...
04-30-2019 12:27 PM
I think I may have done a poor job explaining my situation. My apologies. We normally deploy Meraki MX firewalls. With those, we can easily accomplish what I am trying to do. ISP puts the modem into multihoming and then we just create a 1:1 NAT that consists of the WAN IP and then the internal IP (ex: a webserver IP).
Here's what I have done on the ASA5508, in the GUI I created a network object, that contains the WAN IP and subnet. I created a "Manual" static NAT that has the source interface as "outside" and set source address/port to ANY and Destination as the network object I created that contains the WAN IP. I set the destination network to be "inside" and address/port to ANY and destination address to my internal server.
I then created an access rule that has the Source as "outside" and networks/ports as any then Destination as "inside" and networks "my internal server" object.
I cannot deploy these changes yet, customer wants to wait. But does this sounds like I did the correct thing? Will this work lol?
04-30-2019 01:07 PM
I would use either Auto Nat or twice nat.
Auto NAT:
object network inside-server
host 192.168.1.10
nat static 2.2.2.10 service tcp 443 443
In the above example, 2.2.2.10 represents the new public IP address. It doesn't and indeed can't be configured as a secondary IP on the existing ASAs public interface. The service https is just for illustration purposes. The object 'inside-server' represents the server on the inside, using its real ip address.
The resulting output in ASDM would look something like this:
Twice NAT:
object network inside-server-public
host 2.2.2.10 <-----------------New network object corresponding to the new Public IP
object service https
service tcp destination eq https <------You may create a new service object for the services you wish to publish
nat (inside,outside) 1 source static inside-server inside-server-public service https https
The resulting output in ASDM would look something like this:
Then, create/modify the ACL to permit the desired traffic to pass:
access-list outside_access_in line 1 extended permit https any any
access-group outside_access_in in interface outside
Inbound routing for the new block will need to be handled by the modem. I believe the ASA would proxy-arp for requests to the new public address.
04-30-2019 02:35 PM
04-30-2019 02:54 PM
For me its mainly simplicity; one can configure translations as part of network object definitions, which are added to
the configuration. Auto NAT reduces configuration complexity when only one translation policy is required for a host.
05-01-2019 01:11 PM
@Alan Ng'ethe wrote:For me its mainly simplicity; one can configure translations as part of network object definitions, which are added to
the configuration. Auto NAT reduces configuration complexity when only one translation policy is required for a host.
Thank you for your help Alan. I seem to be stuck again, so I create the network object, and when I try to set it as the type "network" and put in the IP/Subnet I get an error "The IP Address xx.xx.xx.238 does not match with netmask 30. To specify a network use xx.xx.xx.236/30. To specify a host use xx.xx.xx.238/255.255.255.255."
It does allow me to use the type "host" and the IP provided by the ISP, without a subnet. I have a feeling that it wont work that way though.
That issue aside, I have made an auto nat rule that setup as follows - Type = Static. Original Packet source interface "Internet" (which is the WAN interface). Orginal address is the "SecondIP" object I made (which currently is the type "host" as mentioned above with JUST the WAN IP). Then I have the translated packet to destination interface "LAN" to address "internal-server".
Does this all sound correct? the only part I am very unsure about is the network object.
Thank you so much for your assistance.
05-01-2019 03:06 PM
It does allow me to use the type "host" and the IP provided by the ISP, without a subnet. I have a feeling that it wont work that way though.
When one uses the keyword 'host' it is presumed that the mask is an /32. This should allow one to use the object as defined, for NAT statements.
That issue aside, I have made an auto nat rule that setup as follows - Type = Static. Original Packet source interface "Internet" (which is the WAN interface). Orginal address is the "SecondIP" object I made (which currently is the type "host" as mentioned above with JUST the WAN IP). Then I have the translated packet to destination interface "LAN" to address "internal-server".
Does this all sound correct? the only part I am very unsure about is the network object.
Thank you so much for your assistance.
If I am not mistaken, it seems like you're trying to use outside NAT. Could you post the output of show run | include nat and show run object
I would use the 'internal server' network object to create an Auto NAT entry in the configuration. Something like this, substituting the given IPs and ports with those you're using:
object network inside-server-public
host 2.2.2.10
object network inside-server
host 192.168.2.20
nat (inside,outside) static inside-server-public service tcp 443 443
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide