asked on
ASA 5510 2 public IP blocks
I have an ASA 5510 with the Security Plus License so I have five ports that I can use. My design is as follows:
Internet
|
Router
|
ASA5510 DMZ -
|
Internal LAN
We jus received another block of public IP addresses and I am trying to figure out how to set the ASA up to handle this. I know I could do subinterfaces but I do not currently have a switch to do this and I need this by tomorrow so I can't get one ordered. What I did was assigned one of the new public ip address to one of the other ports on the ASA and created the correct ACL to allow my inbound traffic and outbound traffice to my servers internally. I also allowed pings to my new interface and set it at the same security level as the other outside interface. I can ping from this interface to my router but I can not ping from the router to this interface. If I hook a laptop up between the router and ASA I can ping the ASA just fine to that external port. I also can not access my servers that I am NATing using the new public ip. Any help would be appreciated. Below is my router and ASA config. The 70 block is my new public ip. Everything works fine to my old ip blocks. Any suggestions?
Router
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname contcem
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip name-server 151.164.14.xxx
ip name-server 151.164.1.xxx!
!
controller T1 0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 !
controller T1 0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 !
!
interface MFR0
description no ip address encapsulation frame-relay IETF no ip route-cache cef frame-relay multilink bid test frame-relay lmi-type ansi !
interface MFR0.671 point-to-point
description WAN to Internet Service ip address 151.164.16.xxx 255.255.255.252 no cdp enable frame-relay interface-dlci 671 IETF !
interface FastEthernet0/0
description Ethernet to Network
ip address 70.xxx.xxx.49 255.255.255.xxx secondary ip address 67.67.99.xxx 255.255.255.xxx duplex auto speed auto !
interface Serial0/0:0
description Circuit ID: 43.YHGP.000496.001 no ip address encapsulation frame-relay MFR0 no arp frame-relay frame-relay multilink lid link1 !
interface Serial0/1:0
description Circuit ID: no ip address encapsulation frame-relay MFR0 no arp frame-relay frame-relay multilink lid link2 !
no ip forward-protocol nd
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 151.164.16.xxx
!
no ip http server
no ip http secure-server
!
no cdp run
!
control-plane
!
!
dial-peer cor custom
!
!
line con 0
login
line aux 0
transport input all
flowcontrol hardware
line vty 0 4
login
!
!
end
ASA 5510
ASA Version 7.2(2)
!
hostname ASAxxx
domain-name xxxxx
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 67.xxx.xxx.86 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.xxx.xxx 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.xxx.1 255.255.255.0
!
interface Ethernet0/3
nameif outside2
security-level 0
ip address 70.xxx.xxx.62 255.255.255.240
!
interface Management0/0
nameif Contractor_Net
security-level 5
ip address 192.168.xxx.1 255.255.255.0
!
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxx.com
same-security-traffic permit inter-interface
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq smtp
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq https
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq https
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq ftp
access-list inside_in extended permit tcp host 192.168.xxx.4 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.4 any eq https
access-list inside_in extended deny tcp any any eq www
access-list inside_in extended deny tcp any any eq ftp
access-list inside_in extended deny tcp any any eq https
access-list inside_in extended permit ip any any
access-list inside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 67.xxx.xxx.84 eq smtp
access-list outside_in extended permit tcp any host 67.xxx.xxx.84 eq https
access-list outside_in extended permit tcp any host 67.xxx.xxx.82 eq 8093
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit icmp any any unreachable
access-list outside_in extended deny ip any any
access-list csc extended permit ip any any
access-list outside2_access_in extended permit tcp any host 70.xxx.xxx.50 eq https
access-list outside2_access_in extended permit icmp any any echo-reply
access-list outside2_access_in extended permit icmp any any time-exceeded
access-list outside2_access_in extended permit icmp any any unreachable
pager lines 24
logging enable
logging asdm emergencies
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu outside2 1500
mtu Contractor_Net 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
monitor-interface outside2
monitor-interface Contractor_Net
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 67.xxx.xxx.84 netmask 255.255.255.255
global (dmz) 1 interface
nat (inside) 2 192.168.xxx.3 255.255.255.255
nat (inside) 1 192.168.xxx.0 255.255.255.0
nat (dmz) 1 192.168.xx2.0 255.255.255.0
static (inside,outside) tcp 67.xxx.xxx.84 smtp 192.168.xxx.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 67.xxx.xxx.84 https 192.168.xxx.2 https netmask 255.255.255.255
static (dmz,outside) tcp 67.xxx.xxx.82 80xx 192.168.xxx.6 80xx netmask 255.255.255.255
static (inside,outside2) tcp 70.xxx.xxx.50 https 192.168.xxx.4 https netmask 255.255.255.255
static (inside,dmz) 192.168.xxx.6 192.168.xxx.6 netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group outside2_access_in in interface outside2
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.81 1
route inside 192.168.xxx.19 255.255.255.255 192.168.xxx.2 1
route inside 192.168.xxx.18 255.255.255.255 192.168.xxx.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server CCCRADIUS protocol radius
http server enable
http 192.168.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.xxx.xxx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address xxxx-xxxxx Contractor_Net
!
!
class-map csc-scanning
match access-list csc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns dns_map
parameters
message-length maximum 1500
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
inspect esmtp
inspect dns dns_map
!
service-policy asa_global_fw_policy global
ntp authentication-key 10 md5 *
ntp authenticate
ntp trusted-key 10
ntp server 192.168.xxx.xxx key 10 source inside
tftp-server inside 192.168.xxx.xxx /asaconfig.txt
ssl encryption des-sha1 rc4-md5
prompt hostname context
asdm image disk0:/asdm522.bin
no asdm history enable
Internet
|
Router
|
ASA5510 DMZ -
|
Internal LAN
We jus received another block of public IP addresses and I am trying to figure out how to set the ASA up to handle this. I know I could do subinterfaces but I do not currently have a switch to do this and I need this by tomorrow so I can't get one ordered. What I did was assigned one of the new public ip address to one of the other ports on the ASA and created the correct ACL to allow my inbound traffic and outbound traffice to my servers internally. I also allowed pings to my new interface and set it at the same security level as the other outside interface. I can ping from this interface to my router but I can not ping from the router to this interface. If I hook a laptop up between the router and ASA I can ping the ASA just fine to that external port. I also can not access my servers that I am NATing using the new public ip. Any help would be appreciated. Below is my router and ASA config. The 70 block is my new public ip. Everything works fine to my old ip blocks. Any suggestions?
Router
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname contcem
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip name-server 151.164.14.xxx
ip name-server 151.164.1.xxx!
!
controller T1 0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 !
controller T1 0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 !
!
interface MFR0
description no ip address encapsulation frame-relay IETF no ip route-cache cef frame-relay multilink bid test frame-relay lmi-type ansi !
interface MFR0.671 point-to-point
description WAN to Internet Service ip address 151.164.16.xxx 255.255.255.252 no cdp enable frame-relay interface-dlci 671 IETF !
interface FastEthernet0/0
description Ethernet to Network
ip address 70.xxx.xxx.49 255.255.255.xxx secondary ip address 67.67.99.xxx 255.255.255.xxx duplex auto speed auto !
interface Serial0/0:0
description Circuit ID: 43.YHGP.000496.001 no ip address encapsulation frame-relay MFR0 no arp frame-relay frame-relay multilink lid link1 !
interface Serial0/1:0
description Circuit ID: no ip address encapsulation frame-relay MFR0 no arp frame-relay frame-relay multilink lid link2 !
no ip forward-protocol nd
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 151.164.16.xxx
!
no ip http server
no ip http secure-server
!
no cdp run
!
control-plane
!
!
dial-peer cor custom
!
!
line con 0
login
line aux 0
transport input all
flowcontrol hardware
line vty 0 4
login
!
!
end
ASA 5510
ASA Version 7.2(2)
!
hostname ASAxxx
domain-name xxxxx
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 67.xxx.xxx.86 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.xxx.xxx 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.xxx.1 255.255.255.0
!
interface Ethernet0/3
nameif outside2
security-level 0
ip address 70.xxx.xxx.62 255.255.255.240
!
interface Management0/0
nameif Contractor_Net
security-level 5
ip address 192.168.xxx.1 255.255.255.0
!
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxx.com
same-security-traffic permit inter-interface
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq smtp
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq https
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq https
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq ftp
access-list inside_in extended permit tcp host 192.168.xxx.4 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.4 any eq https
access-list inside_in extended deny tcp any any eq www
access-list inside_in extended deny tcp any any eq ftp
access-list inside_in extended deny tcp any any eq https
access-list inside_in extended permit ip any any
access-list inside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 67.xxx.xxx.84 eq smtp
access-list outside_in extended permit tcp any host 67.xxx.xxx.84 eq https
access-list outside_in extended permit tcp any host 67.xxx.xxx.82 eq 8093
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit icmp any any unreachable
access-list outside_in extended deny ip any any
access-list csc extended permit ip any any
access-list outside2_access_in extended permit tcp any host 70.xxx.xxx.50 eq https
access-list outside2_access_in extended permit icmp any any echo-reply
access-list outside2_access_in extended permit icmp any any time-exceeded
access-list outside2_access_in extended permit icmp any any unreachable
pager lines 24
logging enable
logging asdm emergencies
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu outside2 1500
mtu Contractor_Net 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
monitor-interface outside2
monitor-interface Contractor_Net
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 67.xxx.xxx.84 netmask 255.255.255.255
global (dmz) 1 interface
nat (inside) 2 192.168.xxx.3 255.255.255.255
nat (inside) 1 192.168.xxx.0 255.255.255.0
nat (dmz) 1 192.168.xx2.0 255.255.255.0
static (inside,outside) tcp 67.xxx.xxx.84 smtp 192.168.xxx.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 67.xxx.xxx.84 https 192.168.xxx.2 https netmask 255.255.255.255
static (dmz,outside) tcp 67.xxx.xxx.82 80xx 192.168.xxx.6 80xx netmask 255.255.255.255
static (inside,outside2) tcp 70.xxx.xxx.50 https 192.168.xxx.4 https netmask 255.255.255.255
static (inside,dmz) 192.168.xxx.6 192.168.xxx.6 netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group outside2_access_in in interface outside2
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.81 1
route inside 192.168.xxx.19 255.255.255.255 192.168.xxx.2 1
route inside 192.168.xxx.18 255.255.255.255 192.168.xxx.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server CCCRADIUS protocol radius
http server enable
http 192.168.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.xxx.xxx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address xxxx-xxxxx Contractor_Net
!
!
class-map csc-scanning
match access-list csc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns dns_map
parameters
message-length maximum 1500
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
inspect esmtp
inspect dns dns_map
!
service-policy asa_global_fw_policy global
ntp authentication-key 10 md5 *
ntp authenticate
ntp trusted-key 10
ntp server 192.168.xxx.xxx key 10 source inside
tftp-server inside 192.168.xxx.xxx /asaconfig.txt
ssl encryption des-sha1 rc4-md5
prompt hostname context
asdm image disk0:/asdm522.bin
no asdm history enable
Hardware FirewallsCiscoSecurity
Last Comment
batry_boy
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I did try this and it does not seem to be working. Basically I disabled the outside2 interface and made it so the 70.xxx.xxx.50 is set up to be allowed just like my 67.xxx.xxx.84 addresses. After doing this I was able to still ping the router but I am not able to get to the webserver. My private ip 192.168.xxx.2 and my private ip 192.168.xxx.4 both actually point to the same network card on an ISA Server. The whole point in this is so that I can have OWA working to 2 different Exchange servers depending on the mailbox location. The main reason being is because we do not have an Exchange frontend server. Do you have any other suggestions? Would it be better to get a switch, set up VLANS and then use subinterfaces on the ASA External port? Thanks for any help.
Before going that far, have you verified that your ISP is routing the new net block to your router correctly?
ASKER
Actually I tried this last night and it did not work but I tried this morning and it was working fine. Thanks a lot for your help. This is a much better way to do it than what I was trying before.
Good deal! Glad you got it working...