Two public networks, one gateway

lubosbella · ‎03-07-2011

Hi,

i have a two public networks from my ISP (they are not continuous):

217.67.2.8/29

217.67.3.16/29

but only one default gateway 217.67.2.9.

How to setup my ASA that my public network will be f.e.: 217.67.3.19 and using gateway 217.67.2.9. I want to use static routing and need to use all public IP for static NAT from outside to inside.

Many thanks.

Haris P · ‎03-07-2011

Dear ,

You can define this two public IP's on your router/ISP router and then define the NAT statement on ASAwith both of this IP's

like Router

int f0/0

ip address 217.67.2.9 255.255.255.248 secondary

ip address 217.67.3.17 255.255.255.248

On ASA

interface Ethernet0/0
nameif outside
security-level 0
ip address 217.67.3.18 255.255.255.248

static (inside,outside) 217.67.3.19 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 217.67.2.10 192.168.1.7 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 217.67.3.17 1

Please rate it if tyhis helps

Regards

Haris P

lubosbella · ‎03-07-2011

Hi thanks,

im not sure if we understand ourselves. I have an ASA and ISP give me:

Public IP: 217.67.2.8/29

Public IP: 217.67.3.16/29

Gateway: 217.67.2.9

Basic configuration should be:

interface Ethernet0/0
nameif outside
security-level 0
ip address 217.67.3.18 255.255.255.248 ..... second subnet

route outside 0.0.0.0 0.0.0.0 217.67.3.17 1 ......... but my gateway is 217.67.2.9 (first subnet) so my route should be: route outside 0.0.0.0 0.0.0.0 217.67.2.9

But in this configuration ASA dont know about network 217.67.2.8/29 so cant route packets to internet....and how to set up this?

Thanks.

Haris P · ‎03-07-2011

The below config will work .

interface Ethernet0/0
nameif outside
security-level 0
ip address 217.67.2.10 255.255.255.248

route outside 0.0.0.0 0.0.0.0 217.67.2.9 1

But where is this network 217.67.3.16/29 configured ? Do you have Any router on your side or you are just connecting diarectly from ISP to you ?

Your firewall ouside IP and gateway should in the same network .So if you want to use 217.67.3.18/29 on your firewall tell your ISP to configure one IP from this network on their side and use this as your Firewall gateway . Otherwise use a router on your side and configure as given below

ISP(217.67.2.9) -----------(WAN: 217.67.2.10)Router(LAN IP : 217.67.3.17/29)-----------(outside 217.67.3.18/29)ASA

Regards

haris

Richard Burts · ‎03-07-2011

The first suggestion from Haris using a secondary address on the router is a typical router solution. But it does not work because the ASA does not support secondary addressing.

So part of the solution is as Haris shows with the ASA interface configured with an address in the subnet of the gateway as specified by the ISP. But Haris keeps wanting to put a router into the solution with the second subnet configured on the router. This is not necessary. The 217.67.3.16/29 does not have to be configured on an interface. Just configure static translations on the ASA using these addresses. As long as the ISP routes that subnet to your ASA (using 217.67.2.10 as the next hop, then it will work.

HTH

Rick

HTH

Rick

Haris P · ‎03-08-2011

Dear Richard,,

The below config. is already working with me (I dont know why you told me tht it will not work !!!! ) . I added the secondary on the router and on ASA I just add one address as given below (no secondary is needed on ASA and also as u said ASA doesnt support secondary addressing) .

In this case , i can nat on the firewall with the network IP's defined in router as secondary .

int f0/0

ip address 217.67.2.9 255.255.255.248 secondary

ip address 217.67.3.17 255.255.255.248

On ASA

interface Ethernet0/0
nameif outside
security-level 0
ip address 217.67.3.18 255.255.255.248

route oustdi 0.0.0.0 0.0.0.0 217.67.3.17 1

Regards

Haris