cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7664
Views
70
Helpful
64
Replies

ASA5508-X Using Block Of Static IP’s

fbeye
Level 4
Level 4

So I have my configuration able to Ping from the Router itself (GBit 1/1 using a Static IP set for PPPoE) and I see GBit 1/2 is the LAN 192.168.1.1 but I am having a heck of a time removing the DHCP / Nat and being able to use, at random (to be specificed on the device) my Block Of Static IP’s. I currently have no running-config that differs from default aside from the WAN but I am going in circles. I am using my Cisco 891f (which is set the way I liked it) as a reference and with an open mind to the fact this is far more technical but I am just lost.

 

64 Replies 64

Can you assign private IP's to your devices and pat the ports over? As mentioned before the gateway and IP's are on the same subnet. You could also do a one to one nat.

As of right now, the farthest I have gotten was to enable PPPoE on Gigabit 1/1 and have it authenticate and grab the Gateway IP (which it negotiates itself). 

Gigabit 1/2 is the default LAN which I use/ used for ASDM connection.

 

I can ping from my Gateway to the world just fine. 

And you are correct, the Gateway and the 5 Usable IPS are on the same Subnet.

 

My end goal is this; I either want to enable Gigabit 1/3-1/5 and each device that plugs in uses one of the static IPS as the device requires it if that is not logical/possible, enable any of the Gigabit 1/3-1/5 and plug an unmanaged switch and then have my devices plug into that and be set [on the device] to grab the IP required. 

 

You so do raise a question... on the 5508 will ANY LAN snot “NOT” work unless I create an ACL? 

And with that, if that’s the case, would I then just enable any Port and do an ip route to the WAN and then allow access ACL?

i am just so used to the 891f that this has become so much bigger than I anticipated. 

 

If it does help, my show config does show exactly (on the 891) what I currently use and need in the 5508. 

 

Also, thank you so much for assisting. 

Also, the only reason why I have refrained front nat/pat was because on the 891 I did not need it as each device used its own IP Zane was protected via Zones. There was no need for nat.

 

now, the 5508 may be completely different. 

I am confused about your current setup. I have looked at the config that you posted from your 891. I see that you assign x.x.x.182 to vlan 1. And that allows you to use other addresses in the address block for hosts on that vlan. I see the config of pppoe and that the address for the dialer interface is negotiated. Are you telling us that the negotiated address is also x.x.x.182? I do not see how that could work. Can you provide some clarification about your current environment? Perhaps including the output of show ip interface brief from the 891? I do not understand how x.x.x.182 can be on both the outside and inside interfaces. Perhaps there is some way for that to happen on the 891 but I do not see how you would be able to do that on the ASA5508.

 

I do see that the configuration of the 891 does allow you to connect devices to the router ports and have them in vlan 1, so they can use addresses out of your public address block. That approach will not work on your ASA5508. The older ASA5505 had an approach similar to the 891 where the interfaces on the 5505 could be treated as switchports and could have all the interfaces assigned to the same vlan. But that is the only ASA that works that way. With your 5508 each port is a routed port and needs to be in its own subnet.

 

If it is the case that your ASA5508 needs to have x.x.x.182 configured on its outside interface I would suggest this approach to configuring your ASA. Configure G1/1 as interface outside and assign x.x.x.182 to it. Configure G1/2 with an IP address in some private network, perhaps 192.168.10.0. Connect G1/2 to some switch. Connect your other servers etc to ports on the switch and manually configure IP addresses on them. Then on the ASA configure static address translation so that each of your servers etc gets translated to a unique public IP in your block.

 

HTH

 

Rick

HTH

Rick

Hello

 

You are correct as that is how it is set up. I have also had the same comments in how it’s possible, but that is indeed how it is.

The negotiated IP is .182 which IS the Gateway for the Block of 5 and Aldo happens to be the one my ISP gives to the authentication, which seems legitimate. 

As far as how the Dialer and vlan are the same, I can not answer that except that I used this for a how to;

 

http://www.dslreports.com/faq/8199

 

And and it has worked ever since.

 

It makes sense what you are saying about how this 5508 has a completely different format and the ports are routed ports. Fair enough.

 

By assigning my Gigabit 1/1 as an Outside interface and giving it a x.x.x.182 address would I then not be able to act as a PPPoE for authentication?  and then the Gigabit 1/2 an inside such as 192.168.x.x would my devices that connect to the switch that 1/2 is connected to be able to grab a x.x.121.177 - x.x.121.181 address?

Thanks for the additional information. I am still confused. I looked at the example in the link that you provided and find that in that example the negotiated address is on the outside interface (as it is in your config) but I find in that example that the IP address on the inside interface is using a private IP from the 10 network (which is quite different from your config). I would still like to see the output of show ip interface brief from your 891 to confirm the addresses being used.

 

But for our discussion the important thing is to focus on what will work on your ASA5508. As I said before I do not see any way that it could work on your ASA to use the same public IP address for the negotiated outside address and also use it for the IP address of the inside interface. Let me clarify my suggestion for your ASA. I am not suggesting that you configure the IP address x.x.x.182 on your outside interface. Your configuration to use pppoe for the outside interface should be ok and will result in the x.x.x.182 being assigned to your interface.

 

Also let me clarify that your devices connected to the switch will not  grab a x.x.121.177 - x.x.121.181 address. They will grab (or perhaps just be manually configured with) addresses in the private network used on G1/2. Then you will configure static address translation so that each device with an address in the private network will be associated with an address in your public address block.

 

HTH

 

Rick

 

 

HTH

Rick

I really have no answer as to how there are multiple .182 being used. I am trying to look back and aside from the vlan1, I never input then.182 address. The Dialer 1 grabbed the Gateway through the Gigabit 0/8 via PPPoE and I used the vlan which enabled, I believed, the remaining Gigabit ports to its vlan. 

Not sure how I was able to both have .182 as the Dialer IP (which IT should have as its the Gateway assigned by the ISP) but also how the vlan utilized it... Other than the vlan IP address was being used more as a route to the Gateway in order to use the Static IP’s in its subnet.

 

here is my brief.

 


Async3 unassigned YES unset down down
BRI0 unassigned YES NVRAM administratively down down
BRI0:1 unassigned YES unset administratively down down
BRI0:2 unassigned YES unset administratively down down
Dialer1 x.x.121.182 YES IPCP up up
FastEthernet0 unassigned YES NVRAM administratively down down
GigabitEthernet0 unassigned YES unset up up
GigabitEthernet1 unassigned YES unset up up
GigabitEthernet2 unassigned YES unset up up
GigabitEthernet3 unassigned YES unset down down
GigabitEthernet4 unassigned YES unset down down
GigabitEthernet5 unassigned YES unset down down
GigabitEthernet6 unassigned YES unset down down
GigabitEthernet7 unassigned YES unset down down
GigabitEthernet8 unassigned YES NVRAM up up
Loopback99 10.252.0.254 YES NVRAM up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Virtual-Template99 10.252.0.254 YES unset up down
Vlan1 x.x.x.182 YES NVRAM up up



 

I appreciate the additional information. Is there any possibility in comparing the Dialer1 x.x.121.182 with the address x.x.x.182 on the vlan that the third x (x.x.x.182) is different from 121?

 

HTH

 

Rick 

HTH

Rick

I just did a show running-config and looked at both Dialer1 and Vlan1 and they are both identical... if it helps I can PM you the unaltered show running-config but I assure you they are the same.... 

Could the “negotiated” possibly cause it to be different? I only have it as negotiated because when I set the WAN / Gigabit 0/8 to its proper dedicated Gateway, I got an error when creating the vlan1 as it currently is. When I did this to configure my vlan1 initially;

 

ip address x.x.x.121.182 255.255.255.248

 

it shot back

”x.x.x.121.176 overlaps with Dialer1”

 

Which was weird because never did I mentioned .176 BUT .176 is my ISP Assigned as “Reserved”. This is why’s i went to negotiate. 

Not sure if that tells you anything. 

What you have sent does tell me a lot. Thank you for the offer to send the unaltered running config. I do not believe that this is necessary. It is interesting that when you attempted to configure both interfaces with the IP address that you got the error about overlapping. This is the expected behavior. I believe that you are correct about using negotiated on the dialer interface is what does allow this to work. I have not seen this configured on a Cisco router before. And if someone had asked if that would work I would not have been confident that it would. But your config does show that it does work.

 

The thing about the x.x.x.176 address is that it is the address of the subnet. As you probably remember, in creating an IP subnet you do not use the very first address (because it is the address of the subnet and not the address of a host) and you do not use the very last address (because it is the broadcast address). So when you configure an interface with .x.x.x.182 you are referencing a subnet that starts with x.x.x.176 and ends with x.x.x.183. So both of those addresses are reserved.

 

Thinking about the ASA it might be possible that the same thing could work here. Note that Cisco ASA code is very different from router IOS code and the fact that it does work on router does not necessarily mean that it will work on ASA. But it could be worth a try. You already have the outside interface configured for pope (negotiated address). So you could configure the inside interface with x.x.x.182. You could then set up a dhcp scope on the ASA for the subnet, connect a switch to the inside interface, connect a server to the switch. Then see if the server pulls an address in the subnet. And if so then test to see if the server can access the Internet.

 

HTH

 

Rick

HTH

Rick

Well I did exactly that... As you mention, my outside interface is already grabbing the .182 through PPPoE on its own, and can ping the world. So it is establishing that link.

 

I am leaving "inside" interface 1/2 alone as I am using it for the ASDM connectivity but am working with 1/3 for the sake of this test.

When I configure 1/3 and input 207.108.121.182 (or any 5 usable from the block to try) it says that the IP address on the 1/3 interface can not overlap with the subnet from the "outside" interface. Now, I did call the 1/3 interface "block" and was going to go that route but could never get past the overlapping issue. Which seems to fine in "negotiation" on the 891 so this clearly isn't going to allow us.

I sort of began messing around and created a 192.168.2.1 1/3 address with a POOL of 192.168.2.2-192.168.2.5 and my PC did indeed grab an IP address and I could ping the Routers DHCP Server but not anything past (such as the outside interface) so I assume that is because of no nat being set up, or because I did not assign a route to 1/3?

I thin k that is still going a different direction than what we are discussing so, to go back, it will not let me assign an "inside" [LAN] interface an ip that overlaps with the Gateway.

 

I am wondering if my expectations of what I want are not about this router not being able to do so rather than I picked a router that is not designed for my specific need.

 

It is good to know that you did try, as I suggested, to configure the 5508 using pope on g1/1 and configuring the IP address on G1/3. Sorry to know that it did not work and complained about overlap of subnetes. I understand that it did work on your 891 and that this was your frame of reference as you started on the ASA5508. I hope that you can understand that what you had on the 891 was a very unusual config. In general it is not supported to have the same IP on two interfaces. So the behavior of the 5508 is the expected behavior and the behavior of the 891 was more of an exception to normal behavior. I would expect similar results with most devices that you might try in replacing the 891.

 

There is a way to achieve what you want using the 5508. As I suggested in a previous response you can use pope on G1/1 to establish the connection to the ISP and to get the 182 address. You can configure some other interface using a private IP address subnet. You can assign addresses from that private subnet to each of your devices. And you can configure static address translation so that each of your devices is using an address from your public address block. The main difference is that with 891 you did not need address translation and with ASA you do need address translation.

 

HTH

 

Rick

HTH

Rick

I completely understand what you are saying... Regardless of our initial attempt not be able to work out, learning something new is a success all in itself. 

And of course I would have the oddly configured 891 ;)

 

So going forward with what you suggested this time and before, we will leave ‘outside’ as PPPoE with its x.x.121.182 address and configure 1/3 as a ‘block’ [for ip block] using DHCP 192.168.2.x and utilizing NAT.

 

Ive been lucky (or unfortunate) to not need the usage of specific NAT Rules so this will be a whole new venture for me that I am more than happy to get into.

I do want to clarify something so I can have a certain directive/expectation in my head.

 

Ill choose one of my Static ips as an example.

 

My Linux Email Server was set statically to a x.x.121.180 Address and its only used Ports were SMTP, SSH and 993. 

Am I to assume that your suggestion would cause me to now set the Linux Email to, let’s say, 192.168.2.2 and on the 5508 I create a NAT Rule which then translates incoming connection from any IP directed to x.x.121.180 [which by default uses x.x.121.182] ‘outside’ Interface to redirect to ‘block’ address 192.168.2.2?

Before I get to into it I want to make sure this is the correct method.

Now that I think about it, does NAT even have anything to do with Ports? NAT is just saying this address goes to this. Port Forwarding is for Ports or in my case being that each device will have its own ip, I’d just set ACLs to allow specific ports. Hopefully I am right

 

I know my learning approach is a bit off but it is how I learn.. I’ve gotten to the point where I can erase and configure that 891f without a single guide but this 5508 has sent me to a whole different place. 

 

I appreciate your intention to use the same approach in the 5508 that you used in the 891. And I am glad that you realize that we will need to use a different approach on the 5508. I agree with you that when we learn something new that it is a success.

 

You are certainly on the right track about the 5508. A few things might need to be clarified. The config of the outside interface looks good as is. You will need to configure an inside interface. It could certainly be G1/3 as you suggest or it might be G1/2. Depending on where you will manage the ASA (ASDM) from it may not be helpful to maintain both G1/2 and G1/3. On the inside interface I would suggest not using DHCP. Just hard code the servers with the appropriate inside address (192.168.2.180 for example), mask, and gateway. To help with consistency in configuration, management, and troubleshooting I would suggest making the number in the fourth octet in the private subnet match the fourth octet of the corresponding address in the public subnet.

 

You were lucky that on the 891 you did not need NAT. On the ASA you will need NAT. Most discussion and examples of NAT on ASA focus primarily on dynamic NAT. What you need will be static NAT (to establish a one to one relationship between inside/private and outside/public IP addresses). You can specify port numbers in the translation if you want to be very specific (and if you did that on 891 you will likely want to do it on ASA as well). In some sense port forwarding is just NAT with the specification of protocol and port numbers. So if you want to think of this as static port forwarding that would be ok.

 

You are right that the 5508 is quite different from the 891. You have a learning curve to become familiar with the ASA. I expect that one of these days you will be as familiar with 5508 as you are with 891.

 

HTH

 

Rick

HTH

Rick

This really all makes sense, what a relief. I understand more about the NAT approach. It is a shame I was able to bypass it previously because it makes this that much more intense, which I do welcome.

 

Alright. The reason I keep saying 1/3 is because 1/2 is already  set up as the Management Interface that I use for ASDM and did not want to eliminate that...I assume in the future I can change it to whatever and what not but I’ll leave that be, so that is why I am beginning with 1/3.

So for Interface 1/3 [block] I just enable it and set it statically to 192.168.2.1 (as the Gateway for the subnet of 192.168.2.x) and as you brilliantly mention will make the Linux Email 192.168.2.180 in respect to its legitimate outside .180 IP address. Also you mention do not create a DHCP Pool at all for it... 

I can easily do this no problem. I believe last night I did so for fun but did have a pool of 192.168.2.2-192.168.2.5 but will refrain from that tonight. 

On the inside Interface [block] do I need to enable the ip route to the ‘outside’ Interface for them to communicate or is this something completely different. I ask because I recall on the 891 I had to set up a route manually.. 

Once I get my Email to configure as the .180 I will see if I can ping the 192.168.2.1 and then I can look into NAT. 

 

Maybe what I will do is begin using a spare IP (x.x.121.178) on a spare Linux machine and just get outgoing web access and incoming SHH to test all off is instead of taking down my email server while I “explore”.