cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
0
Helpful
7
Replies

ASA5515-x config confusion

flintmedia
Level 1
Level 1

Hello, 

I'm wondering if anyone could help me out with my config of a Cisco ASA 5515-X.

Background:
Range: 94.136.40.0/24
Gateway: 94.136.40.254
Requirements: VPN, failover redundancy.
Servers behind firewall (inside) will be configured with the gateway IP of interface 1, which using static routes the firewall will pass to the outside interface and off to the upstream provider.

I'm attempting to setup the ASA in the following way:

GigabitEthernet 0/0
Outside
94.136.40.253 255.255.255.0

GigabitEthernet 0/1
Inside
94.136.40.1 255.255.255.0

A server on inside network:
IP: 94.136.40.5 255.255.255.0
Gateway: 94.136.40.1

I cannot do this because "the ip address cannot overlap with the subnet on interface"

My question is, how does one go about configuring the firewall addresses if you only have one range?
We have another setup in another DC which was setup by someone else, the only way this was able to work was to use NAT so the inside interface is known as 192.168.0.1 which is set as the gateway for all servers behind the firewall. Using static routes this goes out to our upstream providers gateway (94.136.39.254). All servers behind the firewall have to have private addresses in the 192.168.0.0/24 range for this to work. The outside interface on this setup is 94.136.39.2, which we use as an endpoint for VPNs.
We would rather not use NAT in this setup and would rather have the public addresses on the servers. 

I've tried setting the firewall to transparent mode which worked great, then I realised VPNs were not available due to the lack of IP on the firewall interface. 

Any help or pointers greatly appreciated. Please let me know if more info can be provided.

 

7 Replies 7

johnd2310
Level 8
Level 8

Hi

 

You could subnet your ip address range into two networks and configure your firewall as follows:

GigabitEthernet 0/1
Inside
94.136.40.1 255.255.255.128

GigabitEthernet 0/0
Outside
94.136.40.253 255.255.255.128

A server on inside network:
IP: 94.136.40.5 255.255.255.128
Gateway: 94.136.40.1

Thanks

John

**Please rate posts you find helpful**

Hello, 

Thanks for your response, much appreciated. I hadn't thought of doing it that way.

From what I understand that would cut my usable addresses in half, so I'd really end up with 128 public addresses. 

Further discussions with friends during the evening has led me down the path of it's a choice - If I want public IPs directly on the servers I need to configure the firewall in transparent mode. If I want to use VPNs (site to site and remote access) I need to configure it in routed mode, using private IPs on the servers and NAT. 

If this is incorrect please correct me!

Cheers
Luke

Hi,

You could talk to your provider and get a /30 for the Outside and then you can use the whole 94.136.40.0/24 for the inside.

 

Thanks

John

**Please rate posts you find helpful**

Hi John, 

Many thanks for helping me with this, I have gone for the NAT option. 
Would you mind if I asked you a question regarding routing?

In our other setup we have routing configured as:
Interface: Outside,
IP/subnet: 0.0.0.0 / 0.0.0.0 ,
Gateway IP: 94.136.40.254

As I understand it this will work fine while I have one range going through the firewall, but when I come to adding another later the routing for the other range will not work correctly as everything will be sent through 94.136.40.254

Could you tell me what I should do with the routing as I don't seem to be able to get it right. If I change the IP and subnet to the NAT addresses (192.168.10.0/24) and use this gateway it says 'route already exists', if I put the outside range in here (94.136.40.0/24) it says 'route already exists'.
Do I need routing?

I know this is outside of the scope of the original question but you seem knowledgeable so thought why not ask!

Any help appreciated.

Thanks
Luke

 

Hi,

 

I am not clear about your question.What range are you adding and what routing are you looking at configuring?  A topology diagram could help?

 

Thanks

 

John

**Please rate posts you find helpful**

Hi John,

If i could draw I would!

I'll explain my setup as best i can:

Routed mode - failover (eventually)
Inside interface IP: 192.168.1.1
Outside interface IP: 94.136.40.1

NAT rules are entered so:
192.168.1.2 = 94.136.40.2 
192.168.1.3 = 94.136.40.2

Should I use a static route, or is this only used when multiple ranges are in use?
I have another setup which was setup by someone else, this has an outside route configured:
outside 0.0.0.0 0.0.0.0 94.137.40.1 (the gateway for this setup)

 

If I should use a static route could you help my understanding as to what this route would do?
I've tried configuring it as follows (ASDM):
interface:
outside
IP: 192.168.1.0
Subnet: 255.255.255.0
Gateway: 94.136.40.1
(error route exists)
and
Interface: outside
IP: 94.136.40.0
Subnet: 255.255.255.0
Gateway: 94.136.40.1
(error route exists)

However, if I add the route as:
Interface: outside
IP: 0.0.0.0
Subnet: 0.0.0.0
Gateway: 94.136.40.1

This works. 

I don't understand why. In my mind I should be able to add one of the other two which I have tried, I'd rather not have any4 as the route because when I come to add another range / interface in a year or so the routing would be incorrect for the new range. 

Am I barking up the wrong tree? 
 

Please let me know if I can provide any further info, if there is an easy way to draw a topology using a website I will happily provide this.

Many thanks
Luke

Hi,

You should have the following config as a start:

Outside:

94.136.40.1

255.255.255.0

Inside:

192.168.1.1

255.255.255.0

Ip route 0.0.0.0 0.0.0.0 94.136.40.254 where 94.136.40.254 is your provider.

When you talk about adding another range in in future, are you talking about another provider range. If so, then the provider will add a route for that range pointing to  your device. Your asa will always proxy arp for the new range when you configure NAT. You do not have to add or remove routes.

Thanks

John

**Please rate posts you find helpful**
Review Cisco Networking for a $25 gift card