Re: Multiple WAN IPs on single public interface ASA5508-X

powerstubbs · ‎04-29-2019

Hello,

I have an ASA5508-X and my ISP has provisioned our modem for multihoming. Could someone please explain the steps necessary to have the second IP on the public interface and how I can route all traffic from that WAN IP to an internal host?

I believe this would be a 1:1 NAT, I am using the GUI to configure the firewall.

Thank you in advance.

Georg Pauwen · ‎04-30-2019

Hello,

the ASA does not support secondary IP addresses on a single interface, as far as I recall. So I guess you need another interface to configure this on...

powerstubbs · ‎04-30-2019

I think I may have done a poor job explaining my situation. My apologies. We normally deploy Meraki MX firewalls. With those, we can easily accomplish what I am trying to do. ISP puts the modem into multihoming and then we just create a 1:1 NAT that consists of the WAN IP and then the internal IP (ex: a webserver IP).

Here's what I have done on the ASA5508, in the GUI I created a network object, that contains the WAN IP and subnet. I created a "Manual" static NAT that has the source interface as "outside" and set source address/port to ANY and Destination as the network object I created that contains the WAN IP. I set the destination network to be "inside" and address/port to ANY and destination address to my internal server.

I then created an access rule that has the Source as "outside" and networks/ports as any then Destination as "inside" and networks "my internal server" object.

I cannot deploy these changes yet, customer wants to wait. But does this sounds like I did the correct thing? Will this work lol?

Alan Ng'ethe · ‎04-30-2019

I would use either Auto Nat or twice nat.

Auto NAT:

object network inside-server
host 192.168.1.10
nat static 2.2.2.10 service tcp 443 443

In the above example, 2.2.2.10 represents the new public IP address. It doesn't and indeed can't be configured as a secondary IP on the existing ASAs public interface. The service https is just for illustration purposes. The object 'inside-server' represents the server on the inside, using its real ip address.

The resulting output in ASDM would look something like this:

Twice NAT:

object network inside-server-public
host 2.2.2.10 <-----------------New network object corresponding to the new Public IP
object service https
service tcp destination eq https <------You may create a new service object for the services you wish to publish

nat (inside,outside) 1 source static inside-server inside-server-public service https https

The resulting output in ASDM would look something like this:

Then, create/modify the ACL to permit the desired traffic to pass:

access-list outside_access_in line 1 extended permit https any any
access-group outside_access_in in interface outside

Inbound routing for the new block will need to be handled by the modem. I believe the ASA would proxy-arp for requests to the new public address.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

powerstubbs · ‎04-30-2019

Thank you for this, could I trouble you to clarify why auto NAT would be your suggestion over manual?

Alan Ng'ethe · ‎04-30-2019

For me its mainly simplicity; one can configure translations as part of network object definitions, which are added to
the configuration. Auto NAT reduces configuration complexity when only one translation policy is required for a host.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

powerstubbs · ‎05-01-2019

@Alan Ng'ethe wrote:
For me its mainly simplicity; one can configure translations as part of network object definitions, which are added to
the configuration. Auto NAT reduces configuration complexity when only one translation policy is required for a host.

Thank you for your help Alan. I seem to be stuck again, so I create the network object, and when I try to set it as the type "network" and put in the IP/Subnet I get an error "The IP Address xx.xx.xx.238 does not match with netmask 30. To specify a network use xx.xx.xx.236/30. To specify a host use xx.xx.xx.238/255.255.255.255."

It does allow me to use the type "host" and the IP provided by the ISP, without a subnet. I have a feeling that it wont work that way though.

That issue aside, I have made an auto nat rule that setup as follows - Type = Static. Original Packet source interface "Internet" (which is the WAN interface). Orginal address is the "SecondIP" object I made (which currently is the type "host" as mentioned above with JUST the WAN IP). Then I have the translated packet to destination interface "LAN" to address "internal-server".

Does this all sound correct? the only part I am very unsure about is the network object.

Thank you so much for your assistance.

Alan Ng'ethe · ‎05-01-2019

It does allow me to use the type "host" and the IP provided by the ISP, without a subnet. I have a feeling that it wont work that way though.

When one uses the keyword 'host' it is presumed that the mask is an /32. This should allow one to use the object as defined, for NAT statements.

That issue aside, I have made an auto nat rule that setup as follows - Type = Static. Original Packet source interface "Internet" (which is the WAN interface). Orginal address is the "SecondIP" object I made (which currently is the type "host" as mentioned above with JUST the WAN IP). Then I have the translated packet to destination interface "LAN" to address "internal-server".

Does this all sound correct? the only part I am very unsure about is the network object.

Thank you so much for your assistance.

If I am not mistaken, it seems like you're trying to use outside NAT. Could you post the output of show run | include nat and show run object

I would use the 'internal server' network object to create an Auto NAT entry in the configuration. Something like this, substituting the given IPs and ports with those you're using:

object network inside-server-public
host 2.2.2.10

object network inside-server
host 192.168.2.20
nat (inside,outside) static inside-server-public service tcp 443 443

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.