Great Question!!

Actually... no.

We had five public IP's originally and had to upgrade do to our workload. Our ISP said that we couldn't keep our original IP's so they gave us a new block.

Unlike the original block when we used the first one for our outside interface for the 5510 and the rest internal, they gave us a separate IP for our 5510 and a block of different IP's to use internal.

Not sure how you knew... but great question.

Then I think you should be able to do a NAT exemption and pass the public IPs through because they are not tied to the outside interface.

Are the IPs from a block with a subnet mask ie. the example you have was 100 - 15 but that is not a subnet.

You don't need to post the exact IPs because this is a public forum but what is the start address and end address and the subnet mask eg.

22.x.x.<start IP>  etc. will be fine.

Just trying to work out whether you just need one object for the subnet or multiple entries because it does not fill an entire subnet if you see what I mean.

Jon

This is my first time posting for help, so I hope I answer your question correctly.

My real IP does not start with 22 or 23, but the last quartet and SM are correct.

The IP for my outside interface for the 5510 is : 22.x.x.178/28

The IP block for my internal addresses are 23.x.x.225/28

I hope this means that one of my ideas is actually doable.

Either should work and I'm not sure why you got an asymmetric routing issue when you tried you first option because if your diagram is correct all traffic in both directions has to go via the main internal firewall to get to any other firewalls.

It does depend on exactly how you setup the inside interfaces of your main internal firewall.

For both you would need -

1) to allow all ports to all public IPs on the outside interface of the ASA 5510 because you soon won't have access to it.

2) a route for either the internal subnet you use for the double NAT or for the public IP block if you want to avoid double NAT.

Not sure what your configuration looked like for the double NAT so please feel free to post and I can check it.

If you would rather not NAT twice and just pass it through then I think with the above route this would work -

object network <NAME>
subnet 23.x.x.224 255.255.255.240

nat (inside,outside) source static <NAME> <NAME> destination static any any

this should simply not translate the public IPs.

It's up to you which you use and I'm happy to help out.

If with either you get asymmetric routing then please post back with details of how you have setup the internal network.

It's late here so I a logging off but i'll check in tomorrow to see how it is going.

In the meantime just in case you need it here is a link to a doc that is really helpful with NAT -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Jon

I feel the direction to go is to pass the public IP's through. It's late here as well, but I will come back and post more details now that I you have instilled hope (and possibly saved my job).

I created a network object of 70.x.x.224/28 called PublicIPs.

When trying to run "nat (inside,outside) source static PublicIPs PublicIPs destination static any any" the console doesn't like the (inside,outside).

The version of IOS on the 5510 is 8.2(5) so the command may be different.

Could I execute this via ASDM?

Here are some additional information (not real IPs)

Public IPs = 70.x.x.224/28 (network object name = PublicIPs)

5510

• IOS = 8.2(5)
• Outside interface = 68.x.x.178/28
• Inside Interface = 10.10.0.1/24 (No VLAN)

Switch

• Interface IP = 10.10.0.15/24

5505 (1)

• IOS = 9.2(3)
• Outside interface = 10.10.0.21/24 (VLAN 2)
• Inside interface = 10.20.0.1 (VLAN 10)

5505 (2)

• IOS = 9.2(3)
• Outside interface = 10.20.0.10 (VLAN 10)
• Inside interface = 10.30.0.10 (VLAN 30)
• Inside interface = 10.40.0.10 (VLAN 40)

I hope I didn't just make this confusing.

Sorry, I didn't realise it was a different version -

Use this instead -

static (inside,outside) 70.x.x.224 70.x.x.224 netmask 255.255.255.240

Jon

I used that command on the 5510.

Then I created a NAT and ACL rule on the 5505 (1) to point to a computer directly connected to it so I could do a Ping test. ( 70.x.x.231 <> 10.20.0.20 <> Permit )

Unfortunately it did not work.

I created a static route on the 5510 to point to the 5505 (1). I thought perhaps the 5510 does not know where to send the public traffic to.

inside 70.x.x.224/28 > 10.10.0.21

Didn't change a thing.

Do I need to assign the outside interface of the 5505 (1) one of the public IP's?

In addition where are you pinging from ?

If it is from the outside of ASA 5510 have you allowed that in your acl on the outside interface (presumably you have one).

Jon

No you don't need to assign any of the IPs to an interface as long as you have a route on the 5510 ie.

route inside 73.x.x.224 255.255.255.224 <outside IP of 5505 (1)>

Can you verify that you have that on the 5510 ?

If so NAT order on post 8.3 which is what you have on your internal firewall is very different and more complex than it was before.

Can you post the configuration of ASA 5505 (1) and also the output of -

"sh nat"

from the same firewall.

Jon

I ran that route command and yes, it's on the 5510.

Here is the SH NAT command from the 5505 (1)

Manual NAT Policies (Section 1)
1 (outside) to (inside) source static 70.x.x.231 70.x.x.231   destination static 10.20.0.20 10.20.0.20
    translate_hits = 0, untranslate_hits = 0
2 (outside) to (any) source static 10.60.0.236 10.60.0.236   destination static 10.20.0.11 10.20.0.11 no-proxy-arp
    translate_hits = 0, untranslate_hits = 0
3 (any) to (inside) source dynamic any interface
    translate_hits = 3613, untranslate_hits = 24
4 (any) to (outside) source dynamic any interface
    translate_hits = 4571, untranslate_hits = 27

Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic 10.20.0.0 pat-pool interface
    translate_hits = 123, untranslate_hits = 0

Rule #2 was one of my attempts to solve this in the beginning. I will have to delete that.

Do you want my whole Run Config of the 5505 (1)?

Firstly there are no static NATs statements for inside to outside.

If rules 1 and 2 are to get this working they shouldn't be outside to inside ie. you want an inside to outside where the inside IP is your real IP and the outside IP is 73.x.x.2xx IP.

Can you remove any NAT rules you have in place on the ASA 5505 (1) to get this working and then once you have done that can you -

1) run "sh nat" again and post because I want to see what is left after you have tidied up

2) post the configuration of ASA 5505 (1)

3) can you tell me how you are testing this ie. where are you pinging from and to in terms of source and destination IPs and where they are in relation to the firewalls.

Jon

I will do that right now. Give me two mins.

Side Note: This is a brand new 5505. So if I did something wrong and I need to config factory-defaults... I am more than willing to do it. (I've done it a bunch just to get to this point.)