No, no subinterface, the normal one should be perfect, like the other outside interface.

Regards Martin

Ok, that makes sense.

However I still can't access the BT_Dmz from outside the firewall

Any chance you could look at the attached config and see if I've missed something?

Quick update, the interface can't actually ping the server on the vlan and vice versa.

I'm thinking this may be a problem with connectivity between that interface and the vlan itself. Can I just reuse the command that jenifer suggested:

"static (bt_outside,bt-dmz) ??? 10.20.3.0 netmask 255.255.255.0" or something to that effect?

Sorry, didn't follow the last few posts, but to just summarise the design so far:

- You have moved the BT_Outside interface from the PIX to the ASA, and now you have 2 Outside interfaces on the ASA.

- 1 question, are you actually going to be using both Outside interfaces at the same time for load balancing? or you have specific things that you would like to route via 1 Outside interface and something else via the other Outside interface.

The reason why I ask is on an ASA, you can not have 2 default gateways configured (not supported on the ASA). Since you have 2 Outside interfaces now, I am not sure if you are planning to use both at the same time. If not, then it's good.

OK, now coming back to your original question:

- You would like connectivity between BT_OUTSIDE and BT-DMZ. Are you actually connecting directly from BT_OUTSIDE subnet? or somewhere else? Are you going to access BT-DMZ subnet with its private IP address, or you would like to perform NAT? if you are going to access BT-DMZ private IP, then here is the static NAT statement:

static (bt_dmz,BT_Outside) 10.20.3.0 10.20.3.0 netmask 255.255.255.0

Ping should work for now as you have permit ping via ACL: BT_Outside_access_in. If you need further access, you have to allow that explicityly on ACL: BT_Outside_access_in.

Hi,

no I think he doesn't want to perform a NAT, he want to route the traffic originated from BT DMZ vlan to the BT Line.

If so you should set up a Route Map for a defined subnet: see http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_maps.html

rgds Martin

That's exactly how you configure it when you don't want to NAT, ie: configure static NAT to itself which is a requirement on an ASA when traffic is initiated from low to high security level.

Secondly, route-map on ASA does not work the same way as route-map on router. Route-map on ASA is only used for redistribution, and it can't be used for PBR.

I don't want load balancing or anything, we just want servers to use a different internet connection to our PCs and phones.

halijenn wrote:
You would like connectivity between BT_OUTSIDE and BT-DMZ. Are you actually connecting directly from BT_OUTSIDE subnet? or somewhere else? Are you going to access BT-DMZ subnet with its private IP address, or you would like to perform NAT? if you are going to access BT-DMZ private IP, then here is the static NAT statement:
static (bt_dmz,BT_Outside) 10.20.3.0 10.20.3.0 netmask 255.255.255.0
Ping should work for now as you have permit ping via ACL: BT_Outside_access_in. If you need further access, you have to allow that explicityly on ACL: BT_Outside_access_in.

Sorry, not sure I follow. Basically I have a bunch of external IPs provided to me by the ISP and I want them to map directly to the internal IP ie xxx.xxx.82.151 -> 10.20.3.151.

VLAN 30 currently uses a PIX firewall for this role and I just want to phase out the PIX and just use the ASA for both purposes if possible.

Not supported.

If you have 2 internet connections, that means you will need to have 2 default gateways. ASA can't have 2 default gateways connected to 2 interfaces.

Really? So we can't even section off one connection as part of a seperate VLAN?

Does that mean I'm stuck using a different physical router for each line? When I set up the second interface, I had set the administrative distance to 2 (the first 0.0.0.0 interface was 1). I had figured as long as traffic was forced from the BT_dmz to that, Ad Dist wouldn't matter.

I would have thought that the BT_dmz,BT_Outside nat rule you gave me would allow traffic to travel between those interfaces. If not, what does that actually do?

Since you require default gateways to both your outside interfaces as they are connected to 2 separate interfaces, and there are requirements to access both interfaces from the Internet, the answer unfortunately is NO, purely because of the requirements of 2 default gateways.

The problem is the ASA would not know which default gateway to send the traffic to, ie: whether it should be sent to the ISP 1 or ISP 2.

The NAT rule that I gave you provide a translation statement which are needed for traffic to flow from BT_Outside to BT_dmz and vice versa. Do you actually require access from the internet towards BT_dmz hosts? if you do, then you actually need to translate the private IP to public IP. If not, are you actually trying to access the BT_dmz hosts just from hosts directly connected to the BT_Outside interface?

I only need access to and from those servers in terms of serving out websites.

I think we may have confused the issue a little bit, or at least I have. When you say the ASA can't have 2 default gateways, do you mean 2 gateways serving the same traffic? i.e. My local PC using both lines to surf out.

Can I not have 2 outside interfaces, have 1 as the default gateway for the inside network, and 1 for the VLAN30 Network? Or can the ASA not support 2 external lines full stop?

ASA does not support 2 external lines when you have to configure 2 default gateways. It doesn't matter even if you divide server access from the internet to use 1 internet connection and everything else to use the other internet connection because 2 default gateways can't exist at the same time.

Unless you know the route exactly through one of the ISP, then instead of configuring default gateway for 1 ISP, you configure static route to point towards the ISP. However, if you are just routing out to the Internet, then you will not know the exact IP address/subnet on the Internet that you need ot use for 1 ISP, hence from routing point of view, you need to configure default gateway. However, 2 default gateways are not supported on an ASA, you will need a router and configure Policy Based Routing on the router to route the traffic accordingly. ASA being a security device does not have the full functionality of a router unfortunately.

I think you're right about a slight redesign, though I've gotta keep the DMZ servers running so I can't pull everything out and try again.

I've attached a pic of what I think the new layout shout be, and I think it should be fairly easy to impliment. I dont think I would have to change any settings, now that I can RDP onto the VLAN servers. It's a guess anyway, feel free to tell me if I've got it all wrong

Would it possible to have only VLAN 30 serve out on the BT line with this new setup?

And If I wanted to move servers onto VLAN 30, would it just be a case of changing the subnet & changing which vlan the port connects to?