Okay, please see my last post.

You still have outside to inside rules and multiple dynamic NAT rules.

Can you look at my last post and answer the questions so I know what you are trying to do in terms of all access.

We can get this working but I have to understand what it is you want and some of the NAT rules left still don't make sense to me.

Jon

1) how are you testing connectivity to one of the public IPs you want to move to the 5505 (1) ?

Answer: I have another laptop that is connected to a different internet connection completely that I am using. A a basic test I am using this laptop to ping that public IP 70.x.x.231 and see if I get a response from the internal laptop that is set statically to 10.20.0.20.

2) what access do you need on ASA 5505 (1) ie. I know you want to move the public IPs to it but what about inside to outside access.

Answer: Great question, sorry I missed it. My environment is primarily going to be used for VPN and some web servers. Since I was just trying to get something to get through, most (if not all) of my rules were using "any > any". I figured once I established a connection, I could go back and limit the ports via the ACLs.

A simple look at my goal would be:

www > ASA 5510 > Layer 2 Switch > ASA 5505 (1) > ASA 5505 (2) - VLAN 100

                                                                                   > ASA 5505 (3) - VLAN 101

                                                                                   > Web Server 01 - VLAN 102 

5510

• Allow VPN ports and web ports inbound.
• Allow VPN ports and web ports outbound (for P2P traffic and browsing for certain networks)
• Allow the block of public IPs to passthough un-NAT'd to the 5505 (1)

5505 (1)

• Intended to be my Core ASA. Configured in a way that I could make changes to the environment without using the 5510.
• NAT public IPs to the devices and servers as needed and restrict ports as needed.

5505 (2)

•  This is going to be my P2P ASA... my hopes is to use this for all my site-to-site connections.
• All I care about is the VPN Site-to-Site; these devices should only talk to the other side. No internet browsing.
• It will need a public IP.

5505 (3)

• This is going to be used for various networks and VLANs.
• This will need access to the internet.
• It will need a public IP for remote VPN sessions.

I only have five days to figure this out. After that... I know they are just going to have to find someone else for this position. Thank you so much for your assistance thus far. I am hoping we can get this to work.

Let me know any other questions you need answered.

Okay, well five days is quite a while so if we just take it step by step we should get there.

Firstly ASA 5505 (2) and (3) are behind (1).

Both 5505 (2) and (3) both need public IPs for VPN so where are these public IPs coming from ?

The ones we are passing through to 5505 (1) can't be used as they will live on 5505 (1).

You could in theory use two of them and pass them through again and use host routes on 5505 (1) pointing to both (2) and (3). I have never done that but it should work.

Is that what you want to do ie. use some of these public IPs on the (2) and (3) ?

If so before anything else lets try and get the public IPs working or you won't be able to do anything.

Do you currently need any access from the inside of 5505 (1) to the outside or do you just want to get the public IP bit working ?

Jon

Yes, the 5505 (2) and (3) are behind the 5505 (1) and will both need to be accessed externally.

We were able to achieve this with our old network model poorly with just NAT'ing.

www > 5510 (NAT public IP #2 to outside interface of 5505 (2) > 5505 (2)
                     (NAT public IP #3 to outside interface of 5505 (3) > 5505 (3)

I was hoping that once we passed the public IPs to 5505 (1) that we would be able to NAT them to their destination.

I am hoping I understand your last question. Do you currently need any access from the inside of 5505 (1) to the outside? I believe the answer is yes if you are referring to access to the internet from it's inside interface; such as a server. The only location I want to restrict internet access from is the 5505 (2) which will be hosting networks that should only have access to their site-to-site networks. Everything else (up until now) should be able to access the internet.

I was hoping that once we passed the public IPs to 5505 (1) that we would be able to NAT them to their destination.

You will but VPNs don't like NAT ie. if you use a public IP on 5505 (1) as the tunnel endpoint for a VPN but you are actually then translating that to another IP which is the outside IP of 5505 (2) or 5505 (3) then it may not work that well.

If you are saying it was working before then fine we can try that.

You did understand the last question.

Basically you have a certain amount of time to get this working. What I was asking is do you, right now, need that access or is it just needed for the final solution.

What I want to do is remove all the unnecessary config so we can concentrate on the public IPs and then if we get that working we can add to it.

I'm trying to get a base from where we can add.

If we can clear it up and get the public IPs working then we can add more rules to allow more access.

It would also mean you can decide about the public IPs on the other internal ASAs ie. do you want to NAT or do you want to try and pass through again and we can test both.

Let me know what you think but at the moment I just need a realistic view of what you actually need to get working and in what order so I can help sort out the configuration.

Jon

That makes complete sense.

If I had to break down what I need to accomplish in a progression it would look like this.

1. Get 5510 to pass public IPs to 5505 (1)
   • Be able to access the internet from the inside interface of the 5505 (1)
   • Statically assign an internal IP to a computer on the inside interface of the 5505 (1)
   • NAT a single public IP to the computer. Test access from an outside computer to the internal computer.
2. Assign the outside interface of the 5505 (2) a public IP via NAT from 5505 (1)
   • Test access from external computer to internal 5505 (2) via external computer. Enable SSH temporarily and access using Putty? Disable after test.
3. Get a Site-To-Site connection up with the 5505 (2) and one of our remote sites. ***I have the configs and will test it out once we verify the outside interface is working in Step 2.
   • Verify no internet connection from inside interface of the 5505 (2)
4. Assign the outside interface of the 5505 (3) a public IP via NAT from 5505 (1)
   • Verify internet access on inside interfaces of 5505 (3)
5. Revisit ACLs to limit traffic flow.

Networks need to be configured with VLANs because I need to be able to host multiple labs from 5505 (3) and multiple P2P's from 5505 (2).

 Is this too generic? I could write this with actual IPs, names, and rules.

Okay, lets do 1) first.

Firstly can we agree on a public IP range ie. I have been using 73.x.x.224/28 but your object groups reference -

object network 70.x.x.231
 host 70.x.x.231

so is this a different thing or meant to be the same ?

Secondly can we use this object group as the client on the inside to test with -

object network 10.20.0.20
 host 10.20.0.20
 description Test Destination for 10.60.0.233

if we can then what exactly is 10.60.0.233 ?

At the moment we are just trying to be able to setup a public IP to private IP on 5505 (1) and ping from the internet as far as I see it.

We can look at everything else later.

Does this sound feasible ?

Jon

Sounds great.

The 10.60.0.233 was just remnants of my attempts to double NAT.

The 5505 (1) can be used anyway we need to. We purchased it new.

Yes, we can use the object network 10.20.0.20 host as a test.

I have never used a forum to resolve an issue so I have been communicating poorly by being inconsistent with my numbers; I do apologize. I am not sure what the etiquette is, but I was trying to mask what internal IPs I was using as well. From now I will be consistent. 

For the public range... we will use 70.x.x.224/24; the other address that has been assigned for my 5510 by the ISP is 68.x.x.178/24.

www

[ 5510 ]

• Ethernet 0/0
  • nameif outside
  • No VLAN
  • ip address 68.x.x.178/28
• Ethernet 0/1
  • nameif inside
  • No VLAN
  • ip address 10.10.0.1

[ Layer 2 Switch ]

• Management Port 10.10.0.15
• 5510 Port = Trunk VLAN 1
• 5505 (1) Port = Trunk VLAN 1,2,3
• Because of how the 5510 and 5505's work; I needed to have this switch here.

[ 5505 (1) (10.20.0.1 = Inside Interface)]

• Ethernet 0/0
  • VLAN 3
• Ethernet 0/1
  • VLAN 10
• Ethernet 0/2
  • VLAN 10
  • (Connected a test laptop to this port)
• VLAN 3
  • nameif outside
  • IP address 10.10.0.21
• VLAN 10
  • nameif inside
  • IP address 10.20.0.1
  • No DHCP
  • Needs internet access

[ Test Laptop ]

• Connected to Ethernet 0/2 of 5505 (1)
• Static IP 10.20.0.20

Do we need additional information to route the public IPs to the 5505 (1)?

Do we need additional information to route the public IPs to the 5505 (1)?

You just need a route on the 5510 pointing to the outside interface of 5505 (1).

Before we do the public IP pass through just a quick design choice because it affects everything else.

It's to do with 5505 (2) and 5505 (3).

They both need public IPs as you said. Now do you want to assign the public IP directly to the outside interface of each firewall or are you hoping to assign private IPs and then NAT on 5505 (1) ?

I ask because there a 3 options to use -

1) do the above with NAT. I don't like doing this and can't guarantee the VPNs will all work but if you are happy they will we can try that

or

2) if you want then to have public IPs directly then you need an interface on 5505 (1) also with a public IP ie. all 3 firewalls need to be on a vlan using public IPs because 5505 (2) and 5505 (3) have to go through 5505 (1) to get anywhere.

This would mean breaking up your /28 public IP subnet into two /29s. One is used on 5505 (1) for NAT and the other is used for the addressing between the firewalls.

There would be a few IPs left over in the second block which could be used for NAT on either 5505(2) or 5505 (3)

or

3) if you don't want to break up the block the alternative which may not be possible is to bring up 5505 (2) and 5505 (3) to be level with 5505 (1) ie. 5510 and all three firewalls outside interfaces are in a common vlan.

You would then address the inside interface of 5510 and the outside interfaces of all the other firewalls using the /28 and use whatever is left where you want for NAT.

This would mean traffic from 5505 (2) and 5505 (3) does not go via 5505 (1) to get to and from the internet

Apologies for the length of the post but you need to decide now before we start configuring anything.

Happy to go with whatever you want.

Jon

I feel that I understand all three options. The biggest goal (outside of just getting this to work) is to have flexibility with the public IP's after we lose access to the 5510 on Monday. We may need to use IPs for VPN or Web Servers or whatever and have to change it later. We will also most likely be adding more 5505's at the same level of the 5505 (2) and 5505 (3) outside interfaces.

Option 1) Yes, this was my original idea because I felt that it would give me the most flexibility and we had it working as such prior to all these changes. Unfortunately my confidence is being overtaken by the pressure of time so at this point I need to go with what will definitely work.

Option 2) We have 14 IPs to use and I don't have an issue using one for the 5505 (2) and 5505 (3) because they will need one anyway for VPN purposes. It seems by breaking up the block to /29 will give us a total of 6 hosts per new block; but it sounds that one block will be dedicated for the inside network of the 5505 (1) and outside network of the 5505 (2) / 5505 (3). Which will mean that I could add additional ASA's to that network? And the second block (6) will be used for internal servers located on the inside networks of the 5505 (2) and 5505 (3)?

Option 3) This option provides the least amount of flexibility after losing access to the 5510. I don't believe this is the direction we can go.

My Answer: Option 1 is my preference because it would be give me the most flexibility and the most IPs, followed by Option 2. Unfortunately the pressure is too high and my remaining time is too short for me to miss on this shot. If Option 2 can definitely get this working, then I will have to do that one.

If you know that using NAT still works with VPNs and you had it working then we can go with option 1).

If we get the public IPs passing through then you should be able to test relatively quickly.

I haven't done VPNs for a while so I may be out of date and perhaps you don't get the issues I saw before so I am happy to follow your lead.

Option 2 would give you a /29 to use on 5505 (1) for NAT and then the other block could be used as you say.

Lets gets the public IPs passing through and then you can make a final decision because it may take some pressure off.

So I'm going to use Jouni's document for where to place the NAT.

Can you do me a favour ?

Can you open a new thread in this forum as this is getting a bit large and we'll just concentrate on the configuration.

I'm assuming nothing is really working so I'm going to remove all existing NAT and we'll go from there.

If you can start a new thread just called the same but with "continued" we can start in there.

I'll get the configuration changes ready.

Hopefully within the next hour or so we should get this working in terms of public IPs.

Jon

Done. New discussion created. https://supportforums.cisco.com/discussion/12466376/passing-public-ips-through-multiple-asas-part-2-continued

Okay, no need for factory reset but yes clear up the NAT.

Can you just tell me two things -

1) how are you testing connectivity to one of the public IPs you want to move to the 5505 (1) ?

I need to understand that before we can continue.

2) what access do you need on ASA 5505 (1) ie. I know you want to move the public IPs to it but what about inside to outside access.

I need to understand exactly what you want to do otherwise it's hard to tell you what needs changing etc.

Jon

***I changed as much as I could without ruining the whole config - NOT REAL IPs***
:
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname 5505 (1)
enable password yWxGihD90DbVMQxh encrypted
names
!
interface Ethernet0/0
 description Port to 5510
 switchport access vlan 2
!
interface Ethernet0/1
 description Port to 5505 (2)
 switchport access vlan 10
!
interface Ethernet0/2
 description Port to Computer
 switchport access vlan 10
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.0.21 255.255.255.0
!
interface Vlan3
 no nameif
 security-level 0
 ip address 10.39.0.2 255.255.255.0
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 10.20.0.1 255.255.255.0
!
interface Vlan69
 nameif Admin_Access
 security-level 100
 ip address 10.38.0.10 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 10.20.0.0
 subnet 10.20.0.0 255.255.255.0
object network 10.20.0.11
 host 10.20.0.11
 description 5505 (2)
object network 10.60.0.236
 host 10.60.0.236
object network 10.20.0.200
 host 10.20.0.200
object network 70.x.x.231
 host 70.x.x.231
object network 10.20.0.20
 host 10.20.0.20
 description Test Destination for 10.60.0.233
object network 10.60.0.233
 host 10.60.0.233
 description Faux internal IP for Public IP (70.x.x.233)
object-group network 22
object-group network 223
 network-object object 70.x.x.231
access-list outside_access_in_1 extended permit ip any host 10.20.0.20
access-list outside_access_in_1 extended permit ip any host 10.60.0.233
access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in extended permit ip 10.39.0.0 255.255.255.0 any
access-list Inside_access_in extended permit ip host 10.20.0.20 any log
access-list Inside_access_in extended permit ip host 10.60.0.233 any
access-list Inside_access_in extended permit ip any any
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Admin_Access 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static 70.x.x.231 70.x.x.231 destination static 10.20.0.20 10.20.0.20
nat (outside,any) source static 10.60.0.236 10.60.0.236 destination static 10.20.0.11 10.20.0.11 no-proxy-arp
nat (any,inside) source dynamic any interface
nat (any,outside) source dynamic any interface
!
object network 10.20.0.0
 nat (any,outside) dynamic pat-pool interface
access-group outside_access_in_1 in interface outside
access-group Inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.40.0.1 1
route inside 10.20.112.0 255.255.255.0 10.20.0.11 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.69.0.0 255.255.255.0 Admin_Access
http 10.20.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.69.0.0 255.255.255.0 Admin_Access
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
username rico password KqK2.7KLwliukYNN encrypted privilege 15
username admin password wNc1yAPvZgLNu5JT encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2e879cd0bcd23b983bc27629f3aec0ca
: end