Solved

How do I configure a Cisco ASA 5510 with multiple subnets and multiple external IP addresses?

Posted on 2009-07-10
13
4,183 Views
Last Modified: 2012-05-07
Ok,

Here is my problem. I have been a long time windows admin and have stumbled into cisco as a job requirement when a cisco asa 5510 was bought at my new job. I am starting from scratch and have read all over the internet and cisco's technical examples and configurations and have found nothing. What I need is each physical interface to be its own subnet: i.e.

etho0/0 would be the outside interface but with multiple external static IP addresses brought in on fiber handed of via ethernet
.
etho0/1 would be 10.10.8.0 subnet and all traffic allowed out from the users and specified traffic nat'd through to a specific server/servers from etho0/0 to one maybe two external IP's for email, RDP FTP and web VPN and a few other services.

etho0/2 would be 10.10.9.0 Same thing as above

and etho0/3 would be 10.10.10.0 but this one would have 3 external ip's from the etho0/0

The final catch is none of the subnets can talk to each other.

Can this be done? If so how would I go about mapping the external IP address to each subnet and keep them from seeing each other.

Sorry if this is an easy stupid question.

cisconoob
0
Comment
Question by:cisconoob
  • 7
  • 6
13 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24826119

Welcome to the world of cisco.  No worries we all started somewhere....  


The external interface would be set with the public internet ip that will service the range of IPs from the ISP.    

The multiple internal interfaces or internal VLANS will each support 1 of the 3 subnets you described.     You can do either physical separation of the subnets or a VLAN interface for each off the physical inside interface trunked into a switch.  

With the ASA each innterface is given a security level so that lower security numbered interfaces will not communicate with higher numbered interfaces unless ip are mapped and Access lists created.  

Access lists will control the flow of the packets from interfaces.  Access lists are written and then applied to the interface in a certain direction in or out from the perspective of the ASA.    You can have only 1 ACL in 1 direction on any interface at 1 time.  

I suppose the best way is to have you go to the howtos that cisco has available.  

To get started, you should have a look at these:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml


Here are a bunch of examples covering that should help as well:
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html







0
 

Author Comment

by:cisconoob
ID: 24826549
MikeKane,

Thanks for the primer. Thats a great starting point but I think I may need to be a little more specific
and my etho0/0 would be a xxx.xxx.xxx.114 ip address. With this and the code below setup correctly with an acl to allow the correct traffic in would that work? and will this allow all users on these subnets OUT with out any issues no matter what they are doing as well as not see each other?

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.114 255.255.255.240 
!
interface Ethernet0/1
 nameif inside1
 security-level 100
 ip address 10.10.8.1 255.255.255.0 
!
interface Ethernet0/2
 nameif inside2
 security-level 100
 ip address 10.10.9.1 255.255.255.0 
!
interface Ethernet0/3
 nameif inside3
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.10.11.1 255.255.255.0 
 management-only
!
passwd 6kRwdQPEOenirCCd encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name test.com
object-group service Email tcp
 port-object eq smtp
 port-object eq www
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp object-group Postini host xxx.xxx.xxx.116 object-group Email 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.117 eq pptp 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.115 eq domain 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.118 eq telnet 
access-list outside_access_in extended permit gre any any 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.120 object-group Email 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside1,outside) xxx.xxx.xxx.120 10.10.8.7 netmask 255.255.255.255 
static (inside1,outside) xxx.xxx.xxx.115 10.10.8.4 netmask 255.255.255.255 
static (inside2,outside) xxx.xxx.xxx.117 10.10.9.7 netmask 255.255.255.255 
static (inside3,outside) xxx.xxx.xxx.118 10.10.10.7 netmask 255.255.255.255 
static (inside3,outside) xxx.xxx.xxx.116 10.10.10.5 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113 1

Open in new window

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24826930
In order for users from all interfaces to get out, you would need to add them to the NAT command like so:
nat (inside1) 1 0.0.0.0 0.0.0.0
nat (inside2) 1 0.0.0.0 0.0.0.0  

That means the nat will also take any traffic from those interfaces and use the global 1 to translate them.  

The other statics and ACLs look good.  
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:cisconoob
ID: 24826940
Mike,

Thanks, I'll report back in a bit to let you know once I put it live (fingers crossed)
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24839514
Updates?
0
 

Author Comment

by:cisconoob
ID: 24839951
I've was called out of town this weekend to another site..I am trying the implementation tonight....I'll post back soon
0
 

Author Comment

by:cisconoob
ID: 24843049
Ok so the situation changed a bit....the client wants things done a bit different now. on one of the interfaces they want a complete IP passthrough well let me see if i can explain this better...they want there outside ip xx.xx.xx.111 passed off inside so in essence it would hit the firewall and then be passed off to them internally and assigned to there linksys that they are upgrading to a cisco pix. so it will go ISP > asa 5510 > linksys > xx.xx.xx.111 so on the interface of the linsys they want the ip to be xx.xx.xx.124 can this even be done?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24843139
The asa can be placed into transparent mode which would give you that behavior.   Ill have to lookup a link at cisco for a howto
0
 

Author Comment

by:cisconoob
ID: 24843186
mIke,

Well I can't place it in transparent mode because we are still splitting of two subnets. Thats the catchy party. One subnet I can split off the asa directly and manage the other company wants to connect there equipment to the cisco asa with the passthrough as decribed above....uggggg
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24843238
I don't think that will work.   Another expert may want to chime in here, but the asa can't have 2 directly connected items with the same ip.  With distant networks sharing subnets, you can use the nating feature on each end, but that's a different scenario.    I think that's a no go
0
 

Author Comment

by:cisconoob
ID: 24843288
Thats what i thought but let me try and be more specific....NO sharing between each other I want each network to have its own external ip xx.xx.xx.76 for my network xx.xx.xx.77 for our neighbor business they want there own router/vpn end point and want a straight pass through to the linksys

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#unsupp

pretty much the diagram in the link but the issue is on the 192.168.1.3 node in the diagram they want there own external IP .76 to be passedthrough to them directly...hope this makes sense
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24851585
I suppose you could double STATIC NAT the address Once coming into the Firewall and out the inside 1 port to a non-public range,  then another static at a 2nd device to turn it back to the public IP.        

Honestly, I don't know what complications that might bring with it as I've never tried that before.  
0
 

Author Comment

by:cisconoob
ID: 24852163
Thanks Mike this is obviously an over complication and just need to go back to the drawing board....I will award you the points and thanks for the help...
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question