Using Cisco ASA 5505 as internet router - Multiple Statics
I have a Cisco ASA 5505 on a fiber connection with 5 usable statics. The ASA is the internet router/gateway and I have an internal vlan set to the gateway address for the pack of statics. All traffic for that pack is forwarded to a single static which is assigned to the outside interface. I have 2 routers inside on that vlan that need external IPs. One for internet and one for a VPN connection. How can I pass all traffic to the internal VLAN meant for both statics so I do not have to forward ports? Internet works fine but if I want SMTP or SSL to pass through for one of the 5 pack statics I have to forward those ports on the outside interface static. If all traffic is going to that single outside static, how do I allow VPNS on both internal statics?
As Tom I have some problems understanding what you mean "pack of statics" and the traffic for the pack that is forwarded to a single static. Maybe some config would clear up the situation.
Generally spoken: for each of the internet routers you will need one ip address of your block since you want to be able to communicate over all ports as I understand. If it's only a subset of ports that need to be accessible from the outside you might also do some port translation but if you have the same ports on both routers that doesn't work.
Generally spoken: for each of the internet routers you will need one ip address of your block since you want to be able to communicate over all ports as I understand. If it's only a subset of ports that need to be accessible from the outside you might also do some port translation but if you have the same ports on both routers that doesn't work.
ASKER
I am essentially building out a cable modem. ISP's Fiberswitch to router. They say it is our job to take it from there.
single static 1.1.1.1 ------------> 5 pack of static IPs that we need to break out.
I have vlan created with the gateway of 5 pack as ip, internet works but I had to forward ports from single ip to get SMTP and other traffic to go to the static I want to route it to. I have never done this before. Usually we plug in to a cable modem and go.
asa.pdf
single static 1.1.1.1 ------------> 5 pack of static IPs that we need to break out.
I have vlan created with the gateway of 5 pack as ip, internet works but I had to forward ports from single ip to get SMTP and other traffic to go to the static I want to route it to. I have never done this before. Usually we plug in to a cable modem and go.
asa.pdf
ASKER
Pack = Block
Please resend the pdf with the symbolic addressing attached to the port or interface of each router or host.
Note, each router should have an "outside" and an "inside" port or interface, each with an address from different subnets.
- Tom
Note, each router should have an "outside" and an "inside" port or interface, each with an address from different subnets.
- Tom
ASKER
here you go.
It works but I want to pass all traffic to its respective block ip without forwarding ports from the outside interface on R1.
It works but I want to pass all traffic to its respective block ip without forwarding ports from the outside interface on R1.
There is no attachment in the last comment. Was there supposed to be?
- Tom
- Tom
The picutre is what I expected but I still don't understand what you are trying to do. Can you send the sanitized config of the ASA and the routers? That would make things a lot easier.
ASKER
ISP gave us a single static. We then needed more so they gave us a block in a different subnet. They forward all block ip traffic to the first static they gave us. It is our job to break it out.
a.a.a.a is the first static.
b.b.b.b - b.b.b.f is what they gave us in the block.
I assigned the b.b.b.x addresses to the lan firewalls outside interfaces.
I just want to be able to have everything forward from the asa to its correct external IP that is assigned to the internal firewalls. Right now i have to use PAT to direct traffic from the outside interface on the 1st firewall (a.a.a.a).
a.a.a.a is the first static.
b.b.b.b - b.b.b.f is what they gave us in the block.
I assigned the b.b.b.x addresses to the lan firewalls outside interfaces.
I just want to be able to have everything forward from the asa to its correct external IP that is assigned to the internal firewalls. Right now i have to use PAT to direct traffic from the outside interface on the 1st firewall (a.a.a.a).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We got this working today. Tom, you are right. They gave us a block of 8 but with the gateway we only had 5 usable to us. I still dont think we should have to route these addresses, it should be the ISP's responsibility.
Good to hear it is all working.
Regarding you having to route the subnet: Each router "routes" traffic. If you get a chance to look at the ASA's routing table you will find the following:
Your ISP IS routing that subnet at the gateway router they provide for you as well as other locations internal to them and other related configuration steps. However, since your ISP does not control your ASA router, they have no way of handling that last routing step that takes place within your router.
Best of Luck,
Tom
Regarding you having to route the subnet: Each router "routes" traffic. If you get a chance to look at the ASA's routing table you will find the following:
A default route (0.0.0.0): The 0.0.0.0 is a wild card address for anything that is not specified otherwise in the table.
A route for the new subnet that is on the inside.
Routes for any other subnets you have on the inside.
Most of the entries were probably setup by the router automatically. However, the router has to be told, by the router's owner (you), about other routes when it has multiple internal routes going through other routers (or layer 3 switches which also route).A route for the new subnet that is on the inside.
Routes for any other subnets you have on the inside.
Your ISP IS routing that subnet at the gateway router they provide for you as well as other locations internal to them and other related configuration steps. However, since your ISP does not control your ASA router, they have no way of handling that last routing step that takes place within your router.
Best of Luck,
Tom
ASKER
Tom,
The issue for me is that when we work with other ISP's they always provide a "Modem". We just plug in, assign our IPs and go. It was a learning experience.
Thanks.
The issue for me is that when we work with other ISP's they always provide a "Modem". We just plug in, assign our IPs and go. It was a learning experience.
Thanks.
Initially routing can be somewhat confusing, especially if you are having to use the Cisco CBOS text interface.
However, even with many of the modems (if they route, which most do now), if you have any internal public IP addresses you will have to setup the routing to get it through your modem/router.
Some ISPs will assist you with this. Of those, some will charge for the service, sometimes they will do it for free.
I highly recommend documenting your configuration. Both because most small businesses just get a modem and use only private addressing on the inside, as you referenced but also because you may have to revisit this in the future.
Part of that documentation should include a diagram with each of your routing devices as plus the ISP's gateway all with the IP Addresses and subnet mask for each interface on the routers.
One last recommendation, backup the configuration on your ASA (and other routers) and change the file name to be descriptive of what it includes or adds to previous configuration backups.
- Tom
However, even with many of the modems (if they route, which most do now), if you have any internal public IP addresses you will have to setup the routing to get it through your modem/router.
Some ISPs will assist you with this. Of those, some will charge for the service, sometimes they will do it for free.
I highly recommend documenting your configuration. Both because most small businesses just get a modem and use only private addressing on the inside, as you referenced but also because you may have to revisit this in the future.
Part of that documentation should include a diagram with each of your routing devices as plus the ISP's gateway all with the IP Addresses and subnet mask for each interface on the routers.
One last recommendation, backup the configuration on your ASA (and other routers) and change the file name to be descriptive of what it includes or adds to previous configuration backups.
- Tom
ASKER
Already did. Thanks Tom.
ISP Gateway
a.a.a.1 /??
|
a.a.a.200 Outside (last octet is just a random example)
ASA 5505
b.b.b.1 /29 Inside routable or public IP. (last octet just an example)
|
VLAN Switch
|
--------------------------
| | | | |
b.b.b.2 b.b.b.3 b.b.b.4 b.b.b.5 b.b.b.6 <== Outside ports
Router 1 Router 2 Router 3 Router 4 Router 5
c.c.c.1 d.d.d.1 e.e.e.1 f.f.f.1 g.g.g.1 <== Inside ports/subnets
Is that close to what you have in mind?
- Tom