handgunowner
asked on
NAT'ing on two WAN interfaces with VPN
I'm having a NAT problem with an ASA5510 (v7.1(2).
Currently there is one T1 which hits a router and is then connected to the ASA. I set it up a year ago and it's been working fine.
The outside address is 67.x.x.228 and is a target for several VPN clients.
The current static route is 'route outside 0.0.0.0 0.0.0.0 67.x.x.225 1'
The current NAT commands are:
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
There is no DMZ
The only access-list is 'access-list inside_nat0_outbound extended permit ip any 10.80.104.0 255.255.255.0 ' (these internal numbers are the VPN pool addresses)
All of this works well. Standard Stuff. The VPN is a split tunnel and works OK too.
Now they added a cable line, want to move all traffic (except MX) to the new interface, and keep the VPN and outbound MX traffic on the original interface. The new line has a gateway address of 75.x.x.22 (numbers IP and gateway given me by comcast)
Note: Their email is hosted off-site on an Exchange Server IP 207.x.x.x
So:
I created another outside interface called 'outside_comcast' with a security level of 5 and an IP of 75.x.x.21
I changed the old static route to 'route outside 207.x.x.x 255.255.255.255 67.x.x.225' (static route to MX server thru old interface)
I created a new static route 'route outside_comcast 0.0.0.0 0.0.0.0 75.x.x.22' (default route now on new line)
I tweaked the old NAT command to 'nat (inside) 10 207.x.x.152 255.255.255.255' (10 is a single address (outside interface) pool)
I created a new NAT command to 'nat (inside) 11 0.0.0.0 0.0.0.0' (11 is a single address (outside_comcast interface) pool)
I have a 'global (outside_comcast) 11 interface command
My relevant commands look like this now:
global (outside) 10 interface
global (Outside_Comcast) 11 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 11 0.0.0.0 0.0.0.0
nat (inside 10 207.5.72.153 255.255.255.255
route outside 207.x.x.153 255.255.255.255 67.132.35.255
route Outside_Comcast 0.0.0.0 0.0.0.0 75.x.x.22 1
Result:
Internet, etc works fine. MX clients can sync up. All good.
But I lose VPN. It's like the 'outside' interface no longer exists. I don't think its VPN config, cuz I can no longer ping the 'outside' interface (from the outside) and I could before the change. I can ping it from the ASA, and I can 'extended ping' from that 'outside' interface to the MX server.
I've tried a lot of tweaks, but I'm missing something basic in NAT'ing.
Currently there is one T1 which hits a router and is then connected to the ASA. I set it up a year ago and it's been working fine.
The outside address is 67.x.x.228 and is a target for several VPN clients.
The current static route is 'route outside 0.0.0.0 0.0.0.0 67.x.x.225 1'
The current NAT commands are:
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
There is no DMZ
The only access-list is 'access-list inside_nat0_outbound extended permit ip any 10.80.104.0 255.255.255.0 ' (these internal numbers are the VPN pool addresses)
All of this works well. Standard Stuff. The VPN is a split tunnel and works OK too.
Now they added a cable line, want to move all traffic (except MX) to the new interface, and keep the VPN and outbound MX traffic on the original interface. The new line has a gateway address of 75.x.x.22 (numbers IP and gateway given me by comcast)
Note: Their email is hosted off-site on an Exchange Server IP 207.x.x.x
So:
I created another outside interface called 'outside_comcast' with a security level of 5 and an IP of 75.x.x.21
I changed the old static route to 'route outside 207.x.x.x 255.255.255.255 67.x.x.225' (static route to MX server thru old interface)
I created a new static route 'route outside_comcast 0.0.0.0 0.0.0.0 75.x.x.22' (default route now on new line)
I tweaked the old NAT command to 'nat (inside) 10 207.x.x.152 255.255.255.255' (10 is a single address (outside interface) pool)
I created a new NAT command to 'nat (inside) 11 0.0.0.0 0.0.0.0' (11 is a single address (outside_comcast interface) pool)
I have a 'global (outside_comcast) 11 interface command
My relevant commands look like this now:
global (outside) 10 interface
global (Outside_Comcast) 11 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 11 0.0.0.0 0.0.0.0
nat (inside 10 207.5.72.153 255.255.255.255
route outside 207.x.x.153 255.255.255.255 67.132.35.255
route Outside_Comcast 0.0.0.0 0.0.0.0 75.x.x.22 1
Result:
Internet, etc works fine. MX clients can sync up. All good.
But I lose VPN. It's like the 'outside' interface no longer exists. I don't think its VPN config, cuz I can no longer ping the 'outside' interface (from the outside) and I could before the change. I can ping it from the ASA, and I can 'extended ping' from that 'outside' interface to the MX server.
I've tried a lot of tweaks, but I'm missing something basic in NAT'ing.
ASKER
I only want to do inbound VPN (and outbound MX) on this interface. So what would be the routing solution?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I discovered this today by playing with an extra ASA I had here. The freakin' ASA doesn't have the policy routing support your average PIX has. I'm going to contact Cisco and see if I can get a workaround. Thanx
This doesn't serve any purpose.
No, the outside interface no longer exists - becuz you have no routing on it anymore. It only knows how to "talk" to the MX, nothing else.