eggster34
asked on
Dual outside and inside interfaces on ASA 5520
Hi,
We have an ASA 5520 with 4 interfaces, 2 interfaces connect to the internet uplinks on our datacenter and 2 are inside interfaces hosting servers for different clients.
We need to make sure the hosts connected to the inside interface are translated / accessed using the outside interface, and hosts on inside2 are able to access the internet on the outside2 interface only and mapped IP addresses on the outside2 interface should allow access to the clients connected to inside2. Is this at all possible? my config looks like this: we can easily ping and access hosts using the ip range assigned to the outside interface, but it does not work on anything connected to outside2/inside2.
1.1.1.254 is the uplink router assigned to the outside interface , and 10.2.2.254 is the router for the outside2 interface.
!
!
interface GigabitEthernet0/0
description 1.1.1.1
nameif outside1
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description 2.2.2.2
nameif outside2
security-level 0
ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet0/2
description inside1
nameif inside1
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
description inside2
nameif inside2
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Management0/0
shutdown
nameif man
security-level 0
no ip address
management-only
|
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
access-list outside extended permit ip any any
access-list outside2 extended permit ip any any
mtu inside 1500
mtu outside 1500
mtu man 1500
mtu inside2 1500
mtu outside2 1500
icmp permit any inside
icmp permit any outside
icmp permit any inside2
icmp permit any outside2
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 2 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 2 0.0.0.0 0.0.0.0
static (inside,outside) tcp 1.1.1.2 ssh 192.168.10.2 ssh netmask 255.255.255.255
static (inside2,outside2) tcp 2.2.2.2 ssh 192.168.20.2 ssh netmask 255.255.255.255
access-group outside1 in interface outside1
access-group outside2 in interface outside2
route outside 0.0.0.0 0.0.0.0 1.1.1.254 1 <-- is this how it is supposed to be?
We have an ASA 5520 with 4 interfaces, 2 interfaces connect to the internet uplinks on our datacenter and 2 are inside interfaces hosting servers for different clients.
We need to make sure the hosts connected to the inside interface are translated / accessed using the outside interface, and hosts on inside2 are able to access the internet on the outside2 interface only and mapped IP addresses on the outside2 interface should allow access to the clients connected to inside2. Is this at all possible? my config looks like this: we can easily ping and access hosts using the ip range assigned to the outside interface, but it does not work on anything connected to outside2/inside2.
1.1.1.254 is the uplink router assigned to the outside interface , and 10.2.2.254 is the router for the outside2 interface.
!
!
interface GigabitEthernet0/0
description 1.1.1.1
nameif outside1
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description 2.2.2.2
nameif outside2
security-level 0
ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet0/2
description inside1
nameif inside1
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
description inside2
nameif inside2
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Management0/0
shutdown
nameif man
security-level 0
no ip address
management-only
|
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
access-list outside extended permit ip any any
access-list outside2 extended permit ip any any
mtu inside 1500
mtu outside 1500
mtu man 1500
mtu inside2 1500
mtu outside2 1500
icmp permit any inside
icmp permit any outside
icmp permit any inside2
icmp permit any outside2
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 2 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 2 0.0.0.0 0.0.0.0
static (inside,outside) tcp 1.1.1.2 ssh 192.168.10.2 ssh netmask 255.255.255.255
static (inside2,outside2) tcp 2.2.2.2 ssh 192.168.20.2 ssh netmask 255.255.255.255
access-group outside1 in interface outside1
access-group outside2 in interface outside2
route outside 0.0.0.0 0.0.0.0 1.1.1.254 1 <-- is this how it is supposed to be?
ASKER
As long as I keep the 0.0.0.0 0.0.0.0 route pointing to ISP1 , this doesn't work even the way you suggested, clients in inside1 are able to access the internet and be accessed through the public IPs assigned to them, but inside2 clients can't use the ISP2 interface at all, am I missing something?
I have 2 different clients being hosted on the same firewall array with different VLANs, that's why I'm doing it this way, if there's another way of doing it (other than multiple context mode) I'm open to suggestions.
I have 2 different clients being hosted on the same firewall array with different VLANs, that's why I'm doing it this way, if there's another way of doing it (other than multiple context mode) I'm open to suggestions.
I think it is the same problem generally speaking, the issue with nat was/is the wide ranging nat statement to capture all traffic, now we have a wide ranging route statement that wants to route everything out one interface. Of course this means it will not get nat'd properly because it is being routed out the wrong outside interface. You see, if your have nat statements as I prescribed then you are potentially exiting the wrong interface routing towards ISP1.
If you added more specific routes to the outside and eliminated the default route this would alleviate the issue but it may not achieve what you are looking for. A firewall is not a router, it is hard to enforce policy if you also want to perform ECMP, you see?
So my question again is, why are you trying to do it this way?
harbor235 ;}
If you added more specific routes to the outside and eliminated the default route this would alleviate the issue but it may not achieve what you are looking for. A firewall is not a router, it is hard to enforce policy if you also want to perform ECMP, you see?
So my question again is, why are you trying to do it this way?
harbor235 ;}
ASKER
I'm doing it this way because I have client A and client B, with different public ip ranges, sharing this firewall for cost optimization purposes. I'm the only admin on the fw, and I need to allow access to client A's web server over their own leased internet circuit through their own public ip, and client B's web server access over their own leased internet circuit through their own public ip.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So for example if the inside interface uses 10.1.2.0/24 then change it to "nat (inside) 1 10.1.2.0 255.255.255.0". If inside inside2 uses 10.11.22.0/24 change it to "nat (inside2) 2 10.11.22.0 255.255.255.0"
Some challenges will be inside to inside2 communications, my question is why are you doing it this way?
harbor235 ;}