Solved

ASA 5505 How to configure outside interface with 2 IP Adresses

Posted on 2015-01-06
9
632 Views
Last Modified: 2015-01-09
Our ISP has given us two ranges of IP addresses. One set is what they term the usable IP's for static/dynamic mapping purposes, and the other is the routing addresses of the ISP. For example, we have a range of X.X.X.73 - X.X.X.78/29. We currently have 4 of these addresses statically mapped to specific inside addresses. However, the route to the ISP is on a completely different subnet (X.X.X.30/30). With our current solution, we have the outside interface setup with the ISP Gateway address of the X.X.X.30/30 and it's route out of X.X.X.29/30. Our useable address of .73/29 is then set as a nat policy doing a source translation that configures a dynamic ip and port. We have various locations that use PIX 501's to VPN into our current solution. The VPN tunnels have to be set with the .30/30 ip address while any ssh configuration for those PIX's requires us to use the .73/29 ip address. I haven't had much experience with the ASA 5505 and am looking for a way to accomplish this, but not sure how to go about it. Just looking for some guidance here. Config-Doc.docx
0
Comment
Question by:rtomasik
  • 5
  • 3
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40534460
You don't.  When you configure a static IP address the ASA will arp that out if it's in the same subnet and, if not, then that IP will be routed to you.

It just works.
0
 

Author Comment

by:rtomasik
ID: 40535444
I thank you for your response, however that's my problem. I didn't think that I would need to get this detailed, however, let me provide some more information. In the past we had a PIX firewall that we used as our solution and we programmed our outside interface with the first IP address in the range of usable IP's .73/29, However, when we used the route command to route our traffic to the ISP's router address, .29/30, we couldn't get anywhere. We had our ISP techs out here for 2 days and we couldn't get it to work properly. So, this is how the configuration according to them, and what I understood, should have been, nothing additional.

PIX:

interface outside ip address X.X.X.73 255.255.255.248
route outside 0.0.0.0 0.0.0.0 X.X.X.29 1 (the ISP /30 gateway)

Again for 2 days they couldn't get anything to work. After looking at the information provided by the ISP, it looked as if we were missing a hop somewhere, like we needed to bridge the gap so to speak. Finally I independently tried to work things out through a secondary router. We had an 1800 series available so I used that one. The resulting configuration was this:

PIX

interface outside ip address X.X.X.74 255.255.255.248
route outside 0.0.0.0 0.0.0.0 X.X.X.73 1

1800 series

interface ethernet0/0 ip address X.X.X.73 255.255.255.248
interface ethernet0/1 ip address X.X.X.30 255.255.255.252
route outside 0.0.0.0 0.0.0.0 X.X.X.29 1

Reading all the commands that we had at our disposal at the time, there seemed there was no other way to work around this. This was the only fix that I could come up with.  Not only was it inconvenient, but we also lost an IP address that could have been used to map statically to a device. For our current solution, we have a Palo Alto firewall which allows us to configure the outside interface as the X.X.X.30/30 address and create a static route to the .29/30 address of the ISP's router. All inside traffic can get out to the internet. We then are able to use a policy to translate that interface's IP address to the first IP address in the "usable" range that they gave us. It is important that that interface is seen by the outside as the .73/29 address since that is what our ISP is assigning us. Also, we need this because of our VPN configurations. While our PIX's are configured with the following to create the tunnels,

isakmp key ******** address X.X.X.30 (outside interface of the Palo Alto) netmask X.X.X.X no-xauth

the ssh configuration that we need to use to make them accessible from our corporate network is,

ssh X.X.X.73 X.X.X.X outside (translated ip address in the nat policy)

I did try configuring the ssh command with the /30 subnet address, but it was as if we didn't exist.

The only other additional configuration that the Palo Alto has is under interfaces. We created a loopback interface. This interface has all the usable IP addresses given to us by our ISP configured to it. When they assisted me in setting it up, the addresses were assigned to it with a /32 subnet.

After seeing the configuration that we use with the Palo Alto, it seemed to me that there must be some way to do the same with the ASA 5505. Again, I'm not familiar with this appliance so I'm stumped. Configuration wise it seems similar to the PIX's, but I know that it has so much more functionality.

Thanks again for your reply.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40535783
You shouldn't have to put the /29 on the outside interface -- that's for the /30.

What version of software are you running on the PIX?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:rtomasik
ID: 40535844
We're not using a PIX at the corporate office, but we are looking at the ASA 5505 as a possible backup solution. The version of Software is ASA 8.4(2).

So the question still remains how will the outside know where the /29 addresses are located? We had that problem initially when we were programming the Palo Alto. That's why we needed to make the Loopback interface configuration and the NAT Policy for the outside interface.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40535857
Easy.

Put the /30 on the outside interface and route outside to your gateway.

Your provider should be routing the /29 to your outside IP (that's how the outside will know where they are).

When you configure your static IPs, they become "live", there is nothing special that you do.  

I configure static NAT on all kinds of 5500s and it just works.

And don't even compare Palo Alto the the Cisco.  You are better off with Cisco in my opinion.
0
 

Author Comment

by:rtomasik
ID: 40535875
Ok. I'll have to try. Thanks.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40539762
Jan is correct, its quite common to have different subnet ranges outside of your firewall, the onus is on the ISP you get those subnets routed to YOU, not on you to route back to them :)
Cisco ASA 5500 - Adding New 'Different Range' Public IP Addresses


Pete
0
 

Author Comment

by:rtomasik
ID: 40540014
I appreciate the information. Unfortunately I won't be able to completely test this in the immediate future so I will be closing this question and accepting the solution. It the need arises again I will ask again. Thanks to both.
0
 

Author Closing Comment

by:rtomasik
ID: 40540017
I gave this rating only since I will not be able to test this solution in the immediate future.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stuck in INIT/DROTHER 2 49
using BGP Attributes 2 108
Need help on Windows Firewall blocking program 7 46
Cisco Maximum Prefixes Allowed for Customer 5 33
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question