Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASA 5510 handling 2 IPs connections

Posted on 2011-03-15
6
Medium Priority
?
565 Views
Last Modified: 2012-05-11
Hi,

We have 2 different companies, one on 192.168.1.x and the other one on 192.168.2.x that are using the same network infrastructure. I want to bring in a second internet connection, put 192.168.1.x on the original connection and put 192.168.2.x on the new connection using a Cisco ASA 5510 to route everything. The original connection comes into a Cisco 1721 router and is then sent to the ASA 5510 who is responsible for all the NAT. I need advices on how i should go about doing this.
Thanks!
0
Comment
Question by:W0rldinc
  • 3
  • 2
6 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35137873
I think it should be possible to create a situation with two 'outside' and two inside interfaces without having interaction between the two networks (or only if necessary).
0
 

Author Comment

by:W0rldinc
ID: 35137936
That's the thing. There needs to be interaction between the 2 LANs and they all come from the same switch into 1 LAN port on the ASA. I would use 2 for Outside, 1 for Inside and 1 for DMZ. I would basically like to do routing based on the subnet. Everything from 192.168.1.x should go through inside1 and everything from 192.168.2.x should go through inside2. Would that be possible at all and how complex would it be to put it place?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35137971
Not quite complex. For the inside you could create two subinterfaces (one for each subnet) and trunk the port one the switch.
Assuming you're using VLANs?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:W0rldinc
ID: 35138148
Not at the moment, but that will be put in place at the same time we bring in the 2nd ISP. Right now, everything is in the 192.168.1.x. We will seperate it in 2 VLANs in order to do the routing properly. For the outside interfaces, what would need to be done? What kind of rule?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 600 total points
ID: 35138429
Basically, you will have two interfaces with security-level 0. you will have to set up two global and two nat statements for the corresponding internal networks.
That should give you the (separate) internet access for both networks.
After that you can create statics, access list, etc just as you want it and just as you did before. You only have to watch that you put them on the corrects interfaces (for network 1 or network two).
0
 
LVL 9

Accepted Solution

by:
gavving earned 1400 total points
ID: 35144427
Actually that won't work... Well not exactly like that.  You can NAT into each IP block for each ISP and configure 2 outside interfaces, but the ASA can only have 1 default gateway.  Thus only 1 external outbound connection out the ASA is possible unless we're staticly routing site-to-site VPN connections or something out the other outside interface.  

To use 2 ISPs and have traffic using them split based upon source traffic you have to use policy based routing, and the ASA doesn't do that.  But your 1721 router can.  So you can use that to probably accomplish what you want.  Get a small separate switch and plug in the ethernet connections of the outside interface of the ASA, the 1721, and the new ISP into it.  Leave your ASA with the default route going to the 1721.  Setup NATing on the ASA to nat the 192.168.2.x network into the 2nd ISP IP Block.  Configure a secondary IP number on the ethernet interface of the 1721 and put it on the 2nd ISP IP Block.  Setup PBR on the 1721 to route to the 2nd ISP default gateway IP if the traffic is coming from the 2nd IP block.

That can work, it's a bit messy though.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question