Solved

ASA 5510 handling 2 IPs connections

Posted on 2011-03-15
6
555 Views
Last Modified: 2012-05-11
Hi,

We have 2 different companies, one on 192.168.1.x and the other one on 192.168.2.x that are using the same network infrastructure. I want to bring in a second internet connection, put 192.168.1.x on the original connection and put 192.168.2.x on the new connection using a Cisco ASA 5510 to route everything. The original connection comes into a Cisco 1721 router and is then sent to the ASA 5510 who is responsible for all the NAT. I need advices on how i should go about doing this.
Thanks!
0
Comment
Question by:W0rldinc
  • 3
  • 2
6 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35137873
I think it should be possible to create a situation with two 'outside' and two inside interfaces without having interaction between the two networks (or only if necessary).
0
 

Author Comment

by:W0rldinc
ID: 35137936
That's the thing. There needs to be interaction between the 2 LANs and they all come from the same switch into 1 LAN port on the ASA. I would use 2 for Outside, 1 for Inside and 1 for DMZ. I would basically like to do routing based on the subnet. Everything from 192.168.1.x should go through inside1 and everything from 192.168.2.x should go through inside2. Would that be possible at all and how complex would it be to put it place?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35137971
Not quite complex. For the inside you could create two subinterfaces (one for each subnet) and trunk the port one the switch.
Assuming you're using VLANs?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:W0rldinc
ID: 35138148
Not at the moment, but that will be put in place at the same time we bring in the 2nd ISP. Right now, everything is in the 192.168.1.x. We will seperate it in 2 VLANs in order to do the routing properly. For the outside interfaces, what would need to be done? What kind of rule?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 150 total points
ID: 35138429
Basically, you will have two interfaces with security-level 0. you will have to set up two global and two nat statements for the corresponding internal networks.
That should give you the (separate) internet access for both networks.
After that you can create statics, access list, etc just as you want it and just as you did before. You only have to watch that you put them on the corrects interfaces (for network 1 or network two).
0
 
LVL 9

Accepted Solution

by:
gavving earned 350 total points
ID: 35144427
Actually that won't work... Well not exactly like that.  You can NAT into each IP block for each ISP and configure 2 outside interfaces, but the ASA can only have 1 default gateway.  Thus only 1 external outbound connection out the ASA is possible unless we're staticly routing site-to-site VPN connections or something out the other outside interface.  

To use 2 ISPs and have traffic using them split based upon source traffic you have to use policy based routing, and the ASA doesn't do that.  But your 1721 router can.  So you can use that to probably accomplish what you want.  Get a small separate switch and plug in the ethernet connections of the outside interface of the ASA, the 1721, and the new ISP into it.  Leave your ASA with the default route going to the 1721.  Setup NATing on the ASA to nat the 192.168.2.x network into the 2nd ISP IP Block.  Configure a secondary IP number on the ethernet interface of the 1721 and put it on the 2nd ISP IP Block.  Setup PBR on the 1721 to route to the 2nd ISP default gateway IP if the traffic is coming from the 2nd IP block.

That can work, it's a bit messy though.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
MPLS Network Question 2 35
MiTM SSH session on a Cisco device talking TACACS+ 1 32
Cisco iWAN 8 46
how to access my server 9 28
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now