Solved

Using Cisco ASA 5505 as internet router - Multiple Statics

Posted on 2013-02-01
17
208 Views
Last Modified: 2014-11-15
I have a Cisco ASA 5505 on a fiber connection with 5 usable statics.  The ASA is the internet router/gateway and I have an internal vlan set to the gateway address for the pack of statics.  All traffic for that pack is forwarded to a single static which is assigned to the outside interface.  I have 2 routers inside on that vlan that need external IPs.  One for internet and one for a VPN connection.  How can I pass all traffic to the internal VLAN meant for both statics so I do not have to forward ports?  Internet works fine but if I want SMTP or SSL to pass through for one of the 5 pack statics I have to forward those ports on the outside interface static.  If all traffic is going to that single outside static, how do I allow VPNS on both internal statics?
0
Comment
Question by:jgethers
  • 7
  • 6
  • 2
17 Comments
 
LVL 12

Expert Comment

by:TomRScott
ID: 38846282
How about a diagram?

          ISP Gateway
           a.a.a.1 /??
                    |
             a.a.a.200                    Outside (last octet is just a random example)
            ASA 5505
             b.b.b.1 /29                 Inside routable or public IP. (last octet just an example)
                    |
             VLAN Switch
                    |
     ----------------------------------------------------------------------------------------
     |                   |                   |                     |                    |
b.b.b.2           b.b.b.3          b.b.b.4           b.b.b.5           b.b.b.6         <== Outside ports
Router 1        Router 2       Router 3        Router 4        Router 5
c.c.c.1             d.d.d.1          e.e.e.1           f.f.f.1              g.g.g.1        <== Inside ports/subnets

Is that close to what you have in mind?

 - Tom
0
 
LVL 10

Expert Comment

by:mat1458
ID: 38846538
As Tom I have some problems understanding what you mean "pack of statics" and the traffic for the pack that is forwarded to a single static. Maybe some config would clear up the situation.

Generally spoken: for each of the internet routers you will need one ip address of your block since you want to be able to communicate over all ports as I understand. If it's only a subset of ports that need to be accessible from the outside you might also do some port translation but if you have the same ports on both routers that doesn't work.
0
 

Author Comment

by:jgethers
ID: 38846851
I am essentially building out a cable modem.  ISP's Fiberswitch to router.  They say it is our job to take it from there.  

single static 1.1.1.1 ------------> 5 pack of static IPs that we need to break out.

I have vlan created with the gateway of 5 pack as ip, internet works but I had to forward ports from single ip to get SMTP and other traffic to go to the static I want to route it to.  I have never done this before.  Usually we plug in to a cable modem and go.
asa.pdf
0
 

Author Comment

by:jgethers
ID: 38846860
Pack = Block
0
 
LVL 12

Expert Comment

by:TomRScott
ID: 38847114
Please resend the pdf with the symbolic addressing attached to the port or interface of each router or host.

Note, each router should have an "outside" and an "inside" port or interface, each with an address from different subnets.

 - Tom
0
 

Author Comment

by:jgethers
ID: 38847391
here you go.

It works but I want to pass all traffic to its respective block ip without forwarding ports from the outside interface on R1.
0
 
LVL 12

Expert Comment

by:TomRScott
ID: 38847832
There is no attachment in the last comment.  Was there supposed to be?

 - Tom
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 10

Expert Comment

by:mat1458
ID: 38848538
The picutre is what I expected but I still don't understand what you are trying to do. Can you send the sanitized config of the ASA and the routers? That would make things a lot easier.
0
 

Author Comment

by:jgethers
ID: 38851250
ISP gave us a single static.  We then needed more so they gave us a block in a different subnet. They forward all block ip traffic to the first static they gave us.  It is our job to break it out.

a.a.a.a is the first static.
b.b.b.b - b.b.b.f is what they gave us in the block.

I assigned the b.b.b.x addresses to the lan firewalls outside interfaces.

I just want to be able to have everything forward from the asa to its correct external IP that is assigned to the internal firewalls.  Right now i have to use PAT to direct traffic from the outside interface on the 1st firewall (a.a.a.a).
0
 
LVL 12

Accepted Solution

by:
TomRScott earned 500 total points
ID: 38852592
Ah.  Sounds like you want to "route" that address block. Forwarding is different.

Forwarding is taking inbound traffic addressed to one IP (typically public) and forwarding it to a private address that is unknown and protected from the outside world except for this one service.

I'm a little confused if you have an address that is part of an 8 address subnet on the outside of your ASA router or if you have another public static IP on the outside. Note your ISP is probably not forwarding, but just routing anything addressed to that subnet (and not just for one IP in the subnet) to the public IP of your ASA, a.a.a.200 in my diagram.

You need to route anything for that subnet to an internal interface of the ASA.

To setup the routing, all you need to do is add an entry in the routing table of the ASA. Roughly speaking, the table entry states that traffic to the subnet address of the block of 6 (including a gateway) addresses received on the outside interface is routed to the inside interface (which should have the gateway address of the supplied subnet, b.b.b.1 in my diagram).

Not knowing the specifics of your router, I can't use specifics so I'll continue with general  terms using my diagram.

Traffic received on the interface hosting a.a.a.200 and targeted for b.b.b.0 (the subnet address) should be routed to the interface hosting b.b.b.1.

I notice you only got a block of five addresses, yet you are to be hosting the entire block including the gateway for the block. Normally you would have received a subnet of 8 addresses for this including the subnet address and the broadcast address leaving you with 6 usable host addresses (including the gateway address which would be an inside interface of your ASA.

Conversely, when an ISP is providing the gateway and gives you a block of addresses from an 8 address subnet the maximum number of addresses they can give you is 5 since they have to retain one for themselves for their gateway router.

It sounds to me that you need to talk to your ISP and clarify if they believe they are providing a gateway in the subnet from which you received the addresses.  They may believe that they are doing so and held back that address.

However, I think they gave you what you requested and there is just some confusion on basic routing.

If this helps, great. If you need more detail such as masking, etc. please provide a more detailed diagram.  The first three octets of each IP address are not needed for discussion purposes and should be replaced with something similar to what I did in my diagram (for your security). Please also provide any masking information that your ISP has provided for all addresses involved. Masks take one of two forms 255.255.255.0 (254 addresses) or similar or /24 (also 254 addresses).  For your block of 5 or 6 addresses, you would likely have received a mask of /29 or 255.255.255.248 from your ISP. Knowing the mask for this block of addresses would help clarify the situation.

Bottom Line: Using a routing table entry will route all traffic to the desired internal, yet publicly addressed routers and no port forwarding will be required.

 - Tom
0
 

Author Comment

by:jgethers
ID: 38853645
We got this working today.  Tom, you are right.  They gave us a block of 8 but with the gateway we only had 5 usable to us.  I still dont think we should have to route these addresses, it should be the ISP's responsibility.
0
 
LVL 12

Expert Comment

by:TomRScott
ID: 38853684
Good to hear it is all working.

Regarding you having to route the subnet: Each router "routes" traffic. If you get a chance to look at the ASA's routing table you will find the following:
A default route (0.0.0.0): The 0.0.0.0 is a wild card address for anything that is not specified otherwise in the table.

A route for the new subnet that is on the inside.

Routes for any other subnets you have on the inside.
Most of the entries were probably setup by the router automatically.  However, the router has to be told, by the router's owner (you), about other routes when it has multiple internal routes going through other routers (or layer 3 switches which also route).

Your ISP IS routing that subnet at the gateway router they provide for you as well as other locations internal to them and other related configuration steps. However, since your ISP does not control your ASA router, they have no way of handling that last routing step that takes place within your router.

Best of Luck,



Tom
0
 

Author Comment

by:jgethers
ID: 38853697
Tom,

The issue for me is that when we work with other ISP's they always provide a "Modem".  We just plug in, assign our IPs and go.  It was a learning experience.

Thanks.
0
 
LVL 12

Expert Comment

by:TomRScott
ID: 38853729
Initially routing can be somewhat confusing, especially if you are having to use the Cisco CBOS text interface.

However, even with many of the modems (if they route, which most do now), if you have any internal public IP addresses you will have to setup the routing to get it through your modem/router.

Some ISPs will assist you with this. Of those, some will charge for the service, sometimes they will do it for free.

I highly recommend documenting your configuration. Both because most small businesses just get a modem and use only private addressing on the inside, as you referenced but also because you may have to revisit this in the future.

Part of that documentation should include a diagram with each of your routing devices as plus the ISP's gateway all with the IP Addresses and subnet mask for each interface on the routers.

One last recommendation, backup the configuration on your ASA (and other routers) and change the file name to be descriptive of what it includes or adds to previous configuration backups.

 - Tom
0
 

Author Comment

by:jgethers
ID: 38853735
Already did.  Thanks Tom.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now