Solved

ASA 5505 How to configure outside interface with 2 IP Adresses

Posted on 2015-01-06
9
483 Views
Last Modified: 2015-01-09
Our ISP has given us two ranges of IP addresses. One set is what they term the usable IP's for static/dynamic mapping purposes, and the other is the routing addresses of the ISP. For example, we have a range of X.X.X.73 - X.X.X.78/29. We currently have 4 of these addresses statically mapped to specific inside addresses. However, the route to the ISP is on a completely different subnet (X.X.X.30/30). With our current solution, we have the outside interface setup with the ISP Gateway address of the X.X.X.30/30 and it's route out of X.X.X.29/30. Our useable address of .73/29 is then set as a nat policy doing a source translation that configures a dynamic ip and port. We have various locations that use PIX 501's to VPN into our current solution. The VPN tunnels have to be set with the .30/30 ip address while any ssh configuration for those PIX's requires us to use the .73/29 ip address. I haven't had much experience with the ASA 5505 and am looking for a way to accomplish this, but not sure how to go about it. Just looking for some guidance here. Config-Doc.docx
0
Comment
Question by:rtomasik
  • 5
  • 3
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
You don't.  When you configure a static IP address the ASA will arp that out if it's in the same subnet and, if not, then that IP will be routed to you.

It just works.
0
 

Author Comment

by:rtomasik
Comment Utility
I thank you for your response, however that's my problem. I didn't think that I would need to get this detailed, however, let me provide some more information. In the past we had a PIX firewall that we used as our solution and we programmed our outside interface with the first IP address in the range of usable IP's .73/29, However, when we used the route command to route our traffic to the ISP's router address, .29/30, we couldn't get anywhere. We had our ISP techs out here for 2 days and we couldn't get it to work properly. So, this is how the configuration according to them, and what I understood, should have been, nothing additional.

PIX:

interface outside ip address X.X.X.73 255.255.255.248
route outside 0.0.0.0 0.0.0.0 X.X.X.29 1 (the ISP /30 gateway)

Again for 2 days they couldn't get anything to work. After looking at the information provided by the ISP, it looked as if we were missing a hop somewhere, like we needed to bridge the gap so to speak. Finally I independently tried to work things out through a secondary router. We had an 1800 series available so I used that one. The resulting configuration was this:

PIX

interface outside ip address X.X.X.74 255.255.255.248
route outside 0.0.0.0 0.0.0.0 X.X.X.73 1

1800 series

interface ethernet0/0 ip address X.X.X.73 255.255.255.248
interface ethernet0/1 ip address X.X.X.30 255.255.255.252
route outside 0.0.0.0 0.0.0.0 X.X.X.29 1

Reading all the commands that we had at our disposal at the time, there seemed there was no other way to work around this. This was the only fix that I could come up with.  Not only was it inconvenient, but we also lost an IP address that could have been used to map statically to a device. For our current solution, we have a Palo Alto firewall which allows us to configure the outside interface as the X.X.X.30/30 address and create a static route to the .29/30 address of the ISP's router. All inside traffic can get out to the internet. We then are able to use a policy to translate that interface's IP address to the first IP address in the "usable" range that they gave us. It is important that that interface is seen by the outside as the .73/29 address since that is what our ISP is assigning us. Also, we need this because of our VPN configurations. While our PIX's are configured with the following to create the tunnels,

isakmp key ******** address X.X.X.30 (outside interface of the Palo Alto) netmask X.X.X.X no-xauth

the ssh configuration that we need to use to make them accessible from our corporate network is,

ssh X.X.X.73 X.X.X.X outside (translated ip address in the nat policy)

I did try configuring the ssh command with the /30 subnet address, but it was as if we didn't exist.

The only other additional configuration that the Palo Alto has is under interfaces. We created a loopback interface. This interface has all the usable IP addresses given to us by our ISP configured to it. When they assisted me in setting it up, the addresses were assigned to it with a /32 subnet.

After seeing the configuration that we use with the Palo Alto, it seemed to me that there must be some way to do the same with the ASA 5505. Again, I'm not familiar with this appliance so I'm stumped. Configuration wise it seems similar to the PIX's, but I know that it has so much more functionality.

Thanks again for your reply.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
You shouldn't have to put the /29 on the outside interface -- that's for the /30.

What version of software are you running on the PIX?
0
 

Author Comment

by:rtomasik
Comment Utility
We're not using a PIX at the corporate office, but we are looking at the ASA 5505 as a possible backup solution. The version of Software is ASA 8.4(2).

So the question still remains how will the outside know where the /29 addresses are located? We had that problem initially when we were programming the Palo Alto. That's why we needed to make the Loopback interface configuration and the NAT Policy for the outside interface.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
Comment Utility
Easy.

Put the /30 on the outside interface and route outside to your gateway.

Your provider should be routing the /29 to your outside IP (that's how the outside will know where they are).

When you configure your static IPs, they become "live", there is nothing special that you do.  

I configure static NAT on all kinds of 5500s and it just works.

And don't even compare Palo Alto the the Cisco.  You are better off with Cisco in my opinion.
0
 

Author Comment

by:rtomasik
Comment Utility
Ok. I'll have to try. Thanks.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Jan is correct, its quite common to have different subnet ranges outside of your firewall, the onus is on the ISP you get those subnets routed to YOU, not on you to route back to them :)
Cisco ASA 5500 - Adding New 'Different Range' Public IP Addresses


Pete
0
 

Author Comment

by:rtomasik
Comment Utility
I appreciate the information. Unfortunately I won't be able to completely test this in the immediate future so I will be closing this question and accepting the solution. It the need arises again I will ask again. Thanks to both.
0
 

Author Closing Comment

by:rtomasik
Comment Utility
I gave this rating only since I will not be able to test this solution in the immediate future.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now