[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 231
  • Last Modified:

Using Cisco ASA 5505 as internet router - Multiple Statics

I have a Cisco ASA 5505 on a fiber connection with 5 usable statics.  The ASA is the internet router/gateway and I have an internal vlan set to the gateway address for the pack of statics.  All traffic for that pack is forwarded to a single static which is assigned to the outside interface.  I have 2 routers inside on that vlan that need external IPs.  One for internet and one for a VPN connection.  How can I pass all traffic to the internal VLAN meant for both statics so I do not have to forward ports?  Internet works fine but if I want SMTP or SSL to pass through for one of the 5 pack statics I have to forward those ports on the outside interface static.  If all traffic is going to that single outside static, how do I allow VPNS on both internal statics?
0
jgethers
Asked:
jgethers
  • 7
  • 6
  • 2
1 Solution
 
TomRScottCommented:
How about a diagram?

          ISP Gateway
           a.a.a.1 /??
                    |
             a.a.a.200                    Outside (last octet is just a random example)
            ASA 5505
             b.b.b.1 /29                 Inside routable or public IP. (last octet just an example)
                    |
             VLAN Switch
                    |
     ----------------------------------------------------------------------------------------
     |                   |                   |                     |                    |
b.b.b.2           b.b.b.3          b.b.b.4           b.b.b.5           b.b.b.6         <== Outside ports
Router 1        Router 2       Router 3        Router 4        Router 5
c.c.c.1             d.d.d.1          e.e.e.1           f.f.f.1              g.g.g.1        <== Inside ports/subnets

Is that close to what you have in mind?

 - Tom
0
 
mat1458Commented:
As Tom I have some problems understanding what you mean "pack of statics" and the traffic for the pack that is forwarded to a single static. Maybe some config would clear up the situation.

Generally spoken: for each of the internet routers you will need one ip address of your block since you want to be able to communicate over all ports as I understand. If it's only a subset of ports that need to be accessible from the outside you might also do some port translation but if you have the same ports on both routers that doesn't work.
0
 
jgethersAuthor Commented:
I am essentially building out a cable modem.  ISP's Fiberswitch to router.  They say it is our job to take it from there.  

single static 1.1.1.1 ------------> 5 pack of static IPs that we need to break out.

I have vlan created with the gateway of 5 pack as ip, internet works but I had to forward ports from single ip to get SMTP and other traffic to go to the static I want to route it to.  I have never done this before.  Usually we plug in to a cable modem and go.
asa.pdf
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
jgethersAuthor Commented:
Pack = Block
0
 
TomRScottCommented:
Please resend the pdf with the symbolic addressing attached to the port or interface of each router or host.

Note, each router should have an "outside" and an "inside" port or interface, each with an address from different subnets.

 - Tom
0
 
jgethersAuthor Commented:
here you go.

It works but I want to pass all traffic to its respective block ip without forwarding ports from the outside interface on R1.
0
 
TomRScottCommented:
There is no attachment in the last comment.  Was there supposed to be?

 - Tom
0
 
mat1458Commented:
The picutre is what I expected but I still don't understand what you are trying to do. Can you send the sanitized config of the ASA and the routers? That would make things a lot easier.
0
 
jgethersAuthor Commented:
ISP gave us a single static.  We then needed more so they gave us a block in a different subnet. They forward all block ip traffic to the first static they gave us.  It is our job to break it out.

a.a.a.a is the first static.
b.b.b.b - b.b.b.f is what they gave us in the block.

I assigned the b.b.b.x addresses to the lan firewalls outside interfaces.

I just want to be able to have everything forward from the asa to its correct external IP that is assigned to the internal firewalls.  Right now i have to use PAT to direct traffic from the outside interface on the 1st firewall (a.a.a.a).
0
 
TomRScottCommented:
Ah.  Sounds like you want to "route" that address block. Forwarding is different.

Forwarding is taking inbound traffic addressed to one IP (typically public) and forwarding it to a private address that is unknown and protected from the outside world except for this one service.

I'm a little confused if you have an address that is part of an 8 address subnet on the outside of your ASA router or if you have another public static IP on the outside. Note your ISP is probably not forwarding, but just routing anything addressed to that subnet (and not just for one IP in the subnet) to the public IP of your ASA, a.a.a.200 in my diagram.

You need to route anything for that subnet to an internal interface of the ASA.

To setup the routing, all you need to do is add an entry in the routing table of the ASA. Roughly speaking, the table entry states that traffic to the subnet address of the block of 6 (including a gateway) addresses received on the outside interface is routed to the inside interface (which should have the gateway address of the supplied subnet, b.b.b.1 in my diagram).

Not knowing the specifics of your router, I can't use specifics so I'll continue with general  terms using my diagram.

Traffic received on the interface hosting a.a.a.200 and targeted for b.b.b.0 (the subnet address) should be routed to the interface hosting b.b.b.1.

I notice you only got a block of five addresses, yet you are to be hosting the entire block including the gateway for the block. Normally you would have received a subnet of 8 addresses for this including the subnet address and the broadcast address leaving you with 6 usable host addresses (including the gateway address which would be an inside interface of your ASA.

Conversely, when an ISP is providing the gateway and gives you a block of addresses from an 8 address subnet the maximum number of addresses they can give you is 5 since they have to retain one for themselves for their gateway router.

It sounds to me that you need to talk to your ISP and clarify if they believe they are providing a gateway in the subnet from which you received the addresses.  They may believe that they are doing so and held back that address.

However, I think they gave you what you requested and there is just some confusion on basic routing.

If this helps, great. If you need more detail such as masking, etc. please provide a more detailed diagram.  The first three octets of each IP address are not needed for discussion purposes and should be replaced with something similar to what I did in my diagram (for your security). Please also provide any masking information that your ISP has provided for all addresses involved. Masks take one of two forms 255.255.255.0 (254 addresses) or similar or /24 (also 254 addresses).  For your block of 5 or 6 addresses, you would likely have received a mask of /29 or 255.255.255.248 from your ISP. Knowing the mask for this block of addresses would help clarify the situation.

Bottom Line: Using a routing table entry will route all traffic to the desired internal, yet publicly addressed routers and no port forwarding will be required.

 - Tom
0
 
jgethersAuthor Commented:
We got this working today.  Tom, you are right.  They gave us a block of 8 but with the gateway we only had 5 usable to us.  I still dont think we should have to route these addresses, it should be the ISP's responsibility.
0
 
TomRScottCommented:
Good to hear it is all working.

Regarding you having to route the subnet: Each router "routes" traffic. If you get a chance to look at the ASA's routing table you will find the following:
A default route (0.0.0.0): The 0.0.0.0 is a wild card address for anything that is not specified otherwise in the table.

A route for the new subnet that is on the inside.

Routes for any other subnets you have on the inside.
Most of the entries were probably setup by the router automatically.  However, the router has to be told, by the router's owner (you), about other routes when it has multiple internal routes going through other routers (or layer 3 switches which also route).

Your ISP IS routing that subnet at the gateway router they provide for you as well as other locations internal to them and other related configuration steps. However, since your ISP does not control your ASA router, they have no way of handling that last routing step that takes place within your router.

Best of Luck,



Tom
0
 
jgethersAuthor Commented:
Tom,

The issue for me is that when we work with other ISP's they always provide a "Modem".  We just plug in, assign our IPs and go.  It was a learning experience.

Thanks.
0
 
TomRScottCommented:
Initially routing can be somewhat confusing, especially if you are having to use the Cisco CBOS text interface.

However, even with many of the modems (if they route, which most do now), if you have any internal public IP addresses you will have to setup the routing to get it through your modem/router.

Some ISPs will assist you with this. Of those, some will charge for the service, sometimes they will do it for free.

I highly recommend documenting your configuration. Both because most small businesses just get a modem and use only private addressing on the inside, as you referenced but also because you may have to revisit this in the future.

Part of that documentation should include a diagram with each of your routing devices as plus the ISP's gateway all with the IP Addresses and subnet mask for each interface on the routers.

One last recommendation, backup the configuration on your ASA (and other routers) and change the file name to be descriptive of what it includes or adds to previous configuration backups.

 - Tom
0
 
jgethersAuthor Commented:
Already did.  Thanks Tom.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 7
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now