ASA 5510 2 public IP blocks

wesallen
wesallen used Ask the Experts™
on
I have an ASA 5510 with the Security Plus License so I have five ports that I can use.  My design is as follows:
 
Internet
    |
Router
    |
ASA5510        DMZ       -
    |
Internal LAN

We jus received another block of public IP addresses and I am trying to figure out how to set the ASA up to handle this.  I know I could do subinterfaces but I do not currently have a switch to do this and I need this by tomorrow so I can't get one ordered.  What I did was assigned one of the new public ip address to one of the other ports on the ASA and created the correct ACL to allow my inbound traffic and outbound traffice to my servers internally.  I also allowed pings to my new interface and set it at the same security level as the other outside interface.  I can ping from this interface to my router but I can not ping from the router to this interface.  If I hook a laptop up between the router and ASA I can ping the ASA just fine to that external port.  I also can not access my servers that I am NATing using the new public ip.  Any help would be appreciated.  Below is my router and ASA config.  The 70 block is my new public ip.  Everything works fine to my old ip blocks.  Any suggestions?

Router
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname contcem
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip name-server 151.164.14.xxx
ip name-server 151.164.1.xxx!
!
controller T1 0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64 !
controller T1 0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64 !
!
interface MFR0
 description no ip address  encapsulation frame-relay IETF  no ip route-cache cef  frame-relay multilink bid test  frame-relay lmi-type ansi !
interface MFR0.671 point-to-point
 description WAN to  Internet Service  ip address 151.164.16.xxx 255.255.255.252  no cdp enable  frame-relay interface-dlci 671 IETF !
interface FastEthernet0/0
 description Ethernet to  Network
 ip address 70.xxx.xxx.49 255.255.255.xxx secondary  ip address 67.67.99.xxx 255.255.255.xxx duplex auto  speed auto !
interface Serial0/0:0
 description Circuit ID: 43.YHGP.000496.001  no ip address  encapsulation frame-relay MFR0  no arp frame-relay  frame-relay multilink lid link1 !
interface Serial0/1:0
 description Circuit ID: no ip address  encapsulation frame-relay MFR0  no arp frame-relay  frame-relay multilink lid link2 !
no ip forward-protocol nd
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 151.164.16.xxx
!
no ip http server
no ip http secure-server
!
no cdp run
!
control-plane
!
!
dial-peer cor custom
!
!
line con 0

 login
line aux 0
 transport input all
 flowcontrol hardware
line vty 0 4

 login
!
!
end

ASA 5510

ASA Version 7.2(2)
!
hostname ASAxxx
domain-name xxxxx
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 67.xxx.xxx.86 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.xxx.xxx 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.xxx.1 255.255.255.0
!
interface Ethernet0/3
 nameif outside2
 security-level 0
 ip address 70.xxx.xxx.62 255.255.255.240
!
interface Management0/0
 nameif Contractor_Net
 security-level 5
 ip address 192.168.xxx.1 255.255.255.0
!
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxxx.com
same-security-traffic permit inter-interface
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq smtp
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq https
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq https
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq ftp
access-list inside_in extended permit tcp host 192.168.xxx.4 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.4 any eq https
access-list inside_in extended deny tcp any any eq www
access-list inside_in extended deny tcp any any eq ftp
access-list inside_in extended deny tcp any any eq https
access-list inside_in extended permit ip any any
access-list inside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 67.xxx.xxx.84 eq smtp
access-list outside_in extended permit tcp any host 67.xxx.xxx.84 eq https
access-list outside_in extended permit tcp any host 67.xxx.xxx.82 eq 8093
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit icmp any any unreachable
access-list outside_in extended deny ip any any
access-list csc extended permit ip any any
access-list outside2_access_in extended permit tcp any host 70.xxx.xxx.50 eq https
access-list outside2_access_in extended permit icmp any any echo-reply
access-list outside2_access_in extended permit icmp any any time-exceeded
access-list outside2_access_in extended permit icmp any any unreachable
pager lines 24
logging enable
logging asdm emergencies
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu outside2 1500
mtu Contractor_Net 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
monitor-interface outside2
monitor-interface Contractor_Net
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 67.xxx.xxx.84 netmask 255.255.255.255
global (dmz) 1 interface
nat (inside) 2 192.168.xxx.3 255.255.255.255
nat (inside) 1 192.168.xxx.0 255.255.255.0
nat (dmz) 1 192.168.xx2.0 255.255.255.0
static (inside,outside) tcp 67.xxx.xxx.84 smtp 192.168.xxx.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 67.xxx.xxx.84 https 192.168.xxx.2 https netmask 255.255.255.255
static (dmz,outside) tcp 67.xxx.xxx.82 80xx 192.168.xxx.6 80xx netmask 255.255.255.255
static (inside,outside2) tcp 70.xxx.xxx.50 https 192.168.xxx.4 https netmask 255.255.255.255
static (inside,dmz) 192.168.xxx.6 192.168.xxx.6 netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group outside2_access_in in interface outside2
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.81 1
route inside 192.168.xxx.19 255.255.255.255 192.168.xxx.2 1
route inside 192.168.xxx.18 255.255.255.255 192.168.xxx.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server CCCRADIUS protocol radius
http server enable
http 192.168.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.xxx.xxx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address xxxx-xxxxx Contractor_Net
!
!
class-map csc-scanning
 match access-list csc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns dns_map
 parameters
  message-length maximum 1500
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
  inspect icmp
  inspect esmtp
  inspect dns dns_map
!
service-policy asa_global_fw_policy global
ntp authentication-key 10 md5 *
ntp authenticate
ntp trusted-key 10
ntp server 192.168.xxx.xxx key 10 source inside
tftp-server inside 192.168.xxx.xxx /asaconfig.txt
ssl encryption des-sha1 rc4-md5
prompt hostname context
asdm image disk0:/asdm522.bin
no asdm history enable



Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If you're wanting to use the new 70.x.x.x block of public IP's, instead of assigning them to another interface on the ASA, just use them in static statements and associate them to your existing outside interface.  I think that this is your problem.  I discovered about 6 months ago that the ASA (and the PIX for that matter) can perform proxy ARP on an interface for a different subnet than what is assigned to that interface.  This means that you can have a configuration like below and get it to work (assuming your ISP is routing the new block of addresses to your perimeter router correctly):

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 67.xxx.xxx.86 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.xxx.xxx 255.255.255.0

static (inside,outside) tcp 67.xxx.xxx.84 smtp 192.168.xxx.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 67.xxx.xxx.84 https 192.168.xxx.2 https netmask 255.255.255.255
static (inside,outside) tcp 70.xxx.xxx.50 https 192.168.xxx.4 https netmask 255.255.255.255

That should work just fine (along with the associated ACL statements to allow the traffic inbound to your servers).

Give it a try...

Author

Commented:
I did try this and it does not seem to be working.  Basically I disabled the outside2 interface and made it so the 70.xxx.xxx.50 is set up to be allowed just like my 67.xxx.xxx.84 addresses.  After doing this I was able to still ping the router but I am not able to get to the webserver.  My private ip 192.168.xxx.2 and my private ip 192.168.xxx.4 both actually point to the same network card on an ISA Server.  The whole point in this is so that I can have OWA working to 2 different Exchange servers depending on the mailbox location.  The main reason being is because we do not have an Exchange frontend server.  Do you have any other suggestions?  Would it be better to get a switch, set up VLANS and then use subinterfaces on the ASA External port?  Thanks for any help.

Before going that far, have you verified that your ISP is routing the new net block to your router correctly?

Author

Commented:
Actually I tried this last night and it did not work but I tried this morning and it was working fine.  Thanks a lot for your help.  This is a much better way to do it than what I was trying before.
Good deal!  Glad you got it working...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial