Re: Multiple public IP's on ASA5510 forward to correct VLAN

kurtcarlson · ‎01-06-2009

I am planning 3 VLAN's on my Cisco 2960 switch to serve our LAN and 2 other customers. We have one ISP with a /27. I would like to have Public IP 1 for our LAN, Public IP 2 for VLAN2 and Public IP 3 for VLAN3.

Topology ASA5510 > Router > L2 Switch.

How do I configure the ASA to handle these requirements and also have the hosts use their current subnets to access the internet.

Jon Marshall · ‎01-06-2009

Kurt

Could you explain exactly what you want the ASA to do in terms of IP addresses. It is relatively easy to have 1 public IP per vlan to hide all the addresses behind when they go out to the Internet but it's not clear if you need to present internal servers on the vlans to the Internet so people can access them from outside.

Jon

kurtcarlson · ‎01-06-2009

Hi Jon,

Yes there are internal servers on the VLAN's that need to be accessed from the outside. For example On one VLAN several ports including 80 25 443 etc need to be forwarded to one server. It's a help desk system.

Those same ports are used on the native vlan as well.

Thanks

Jon Marshall · ‎01-06-2009

Kurt

Sorry one more quick question. Do you want to just allocate

1 public IP per customer for both internal to external and external to internal

1 public per customer for external and 1 public per customer for internal - so for the external to internal access you would use port redirection ie. one IP address for multiple server(s)/port(s)

1 public for internal to external per customer

1 public per internal server you want to present.

If you could give the server details and how you want to allocate addresses should be able to provide config.

Jon

kurtcarlson · ‎01-06-2009

Here is what I have already tried in the past but it didn't work.

ASA relevent config

name 192.168.1.101 OOPS_Server

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.110 255.255.255.240

object-group service OOPS_tcp tcp

description TCP ports forwarded to OOPS 192.168.1.101

port-object eq smtp

port-object eq www

port-object eq 439

port-object eq https

port-object eq 995

port-object eq 740

port-object eq 741

port-object eq 5900

port-object eq 4556

port-object eq 873

port-object range 53101 53109

access-list from-outside extended permit tcp any host x.x.x.102 object-group OOPS_tcp

static (inside,Outside) x.x.x.102 OOPS_Server netmask 255.255.255.255

route inside 192.168.1.0 255.255.255.0 10.1.10.2 <<< Address of Cisco Router which is directly connected to VLAN

The internal OOPS_Server also has to send alert emails out so it needs to be natted on the way out to .102. I'm not sure how to get that NAT to work.

Will this require another global (outside) address?

The router is an 1811W and will have a trunk link to the switch and I will configure the VLAN interface to be the default gateway of the internal VLAN subnet.

Can you tell me if I'm missing something here?

-Kurt

Jon Marshall · ‎01-06-2009

Kurt

Which bit didn't work ?

"The internal OOPS_Server also has to send alert emails out so it needs to be natted on the way out to .102. I'm not sure how to get that NAT to work."

No the statement

static (inside,Outside) x.x.x.102 OOPS_Server netmask 255.255.255.255

works both ways so any traffic leaving the OOPS_Server should be presented as x.x.x.102 when it goes out.

If you could detail which bits don't work from the above config. Also do you know which address the OOPS_Server is going out as ?

Finally can you post the rest of the config on the ASA or at least the rest of the NAT config as there may be a conflict within your NAT setup.

Jon

kurtcarlson · ‎01-06-2009

Hi Jon,

The part that didn't work was that when calling up the web page via a browser that points to *.102, I got timeouts and I didn't see the traffic hitting the interface. So I'm wondering how to get that to work.

I am trying to hit it via an internal network. 10.1.1.0/24. DNS says to connect via 72.54.2.102. It is currently behind it's own router but that router is an old linksys that is slowly dying and it works fine in this way.

Attached is the relative config for the ASA and the router.

kurtcarlson · ‎01-07-2009

Hi Jon,

Any more advice for me?

Jon Marshall · ‎01-07-2009

Kurt

My sincere apologies, i missed your update.

Just to clarify, what is the source IP address you are trying to connect to .102 from ?

Jon

kurtcarlson · ‎01-07-2009

both from the internet and internally from 10.1.1.x

Jon Marshall · ‎01-07-2009

Kurt

"The part that didn't work was that when calling up the web page via a browser that points to *.102, I got timeouts and I didn't see the traffic hitting the interface. So I'm wondering how to get that to work. "

What happens if you try and connect internally not using the public address but the private address.

Also when you try from the Internet does it work or not. I'm sure we can get this working i'm just not clear exactly which bits work, which don't and what you want.

Jon

kurtcarlson · ‎01-07-2009

to be honest, I'm not sure if it works from the internet or not as I wasn't able to test. But when I tried this last time, going directly to the site internally via it's public dns address of .102, it didn't work. I think it has something to do with the traffic going out the same interface it's trying to come back in on. It seems we need to set up hairpining which I'm not sure how to do.

Does my config look good so far for accessing the site externally?

-Kurt

Jon Marshall · ‎01-07-2009

Kurt

Your config for external access looks fine to me which is why i'm slightly confused.

I think if you are trying to access internally you do indeed need to setup hairpinning / DNS doctoring. I'm attaching a link to a doc that shows how to set that up -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

If there is anything else i can help with please come back as i don't feel i'm helping that much at the moment.

Jon