Solved

ASA 5505 How to configure outside interface with 2 IP Adresses

Posted on 2015-01-06
9
597 Views
Last Modified: 2015-01-09
Our ISP has given us two ranges of IP addresses. One set is what they term the usable IP's for static/dynamic mapping purposes, and the other is the routing addresses of the ISP. For example, we have a range of X.X.X.73 - X.X.X.78/29. We currently have 4 of these addresses statically mapped to specific inside addresses. However, the route to the ISP is on a completely different subnet (X.X.X.30/30). With our current solution, we have the outside interface setup with the ISP Gateway address of the X.X.X.30/30 and it's route out of X.X.X.29/30. Our useable address of .73/29 is then set as a nat policy doing a source translation that configures a dynamic ip and port. We have various locations that use PIX 501's to VPN into our current solution. The VPN tunnels have to be set with the .30/30 ip address while any ssh configuration for those PIX's requires us to use the .73/29 ip address. I haven't had much experience with the ASA 5505 and am looking for a way to accomplish this, but not sure how to go about it. Just looking for some guidance here. Config-Doc.docx
0
Comment
Question by:rtomasik
  • 5
  • 3
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40534460
You don't.  When you configure a static IP address the ASA will arp that out if it's in the same subnet and, if not, then that IP will be routed to you.

It just works.
0
 

Author Comment

by:rtomasik
ID: 40535444
I thank you for your response, however that's my problem. I didn't think that I would need to get this detailed, however, let me provide some more information. In the past we had a PIX firewall that we used as our solution and we programmed our outside interface with the first IP address in the range of usable IP's .73/29, However, when we used the route command to route our traffic to the ISP's router address, .29/30, we couldn't get anywhere. We had our ISP techs out here for 2 days and we couldn't get it to work properly. So, this is how the configuration according to them, and what I understood, should have been, nothing additional.

PIX:

interface outside ip address X.X.X.73 255.255.255.248
route outside 0.0.0.0 0.0.0.0 X.X.X.29 1 (the ISP /30 gateway)

Again for 2 days they couldn't get anything to work. After looking at the information provided by the ISP, it looked as if we were missing a hop somewhere, like we needed to bridge the gap so to speak. Finally I independently tried to work things out through a secondary router. We had an 1800 series available so I used that one. The resulting configuration was this:

PIX

interface outside ip address X.X.X.74 255.255.255.248
route outside 0.0.0.0 0.0.0.0 X.X.X.73 1

1800 series

interface ethernet0/0 ip address X.X.X.73 255.255.255.248
interface ethernet0/1 ip address X.X.X.30 255.255.255.252
route outside 0.0.0.0 0.0.0.0 X.X.X.29 1

Reading all the commands that we had at our disposal at the time, there seemed there was no other way to work around this. This was the only fix that I could come up with.  Not only was it inconvenient, but we also lost an IP address that could have been used to map statically to a device. For our current solution, we have a Palo Alto firewall which allows us to configure the outside interface as the X.X.X.30/30 address and create a static route to the .29/30 address of the ISP's router. All inside traffic can get out to the internet. We then are able to use a policy to translate that interface's IP address to the first IP address in the "usable" range that they gave us. It is important that that interface is seen by the outside as the .73/29 address since that is what our ISP is assigning us. Also, we need this because of our VPN configurations. While our PIX's are configured with the following to create the tunnels,

isakmp key ******** address X.X.X.30 (outside interface of the Palo Alto) netmask X.X.X.X no-xauth

the ssh configuration that we need to use to make them accessible from our corporate network is,

ssh X.X.X.73 X.X.X.X outside (translated ip address in the nat policy)

I did try configuring the ssh command with the /30 subnet address, but it was as if we didn't exist.

The only other additional configuration that the Palo Alto has is under interfaces. We created a loopback interface. This interface has all the usable IP addresses given to us by our ISP configured to it. When they assisted me in setting it up, the addresses were assigned to it with a /32 subnet.

After seeing the configuration that we use with the Palo Alto, it seemed to me that there must be some way to do the same with the ASA 5505. Again, I'm not familiar with this appliance so I'm stumped. Configuration wise it seems similar to the PIX's, but I know that it has so much more functionality.

Thanks again for your reply.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40535783
You shouldn't have to put the /29 on the outside interface -- that's for the /30.

What version of software are you running on the PIX?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:rtomasik
ID: 40535844
We're not using a PIX at the corporate office, but we are looking at the ASA 5505 as a possible backup solution. The version of Software is ASA 8.4(2).

So the question still remains how will the outside know where the /29 addresses are located? We had that problem initially when we were programming the Palo Alto. That's why we needed to make the Loopback interface configuration and the NAT Policy for the outside interface.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40535857
Easy.

Put the /30 on the outside interface and route outside to your gateway.

Your provider should be routing the /29 to your outside IP (that's how the outside will know where they are).

When you configure your static IPs, they become "live", there is nothing special that you do.  

I configure static NAT on all kinds of 5500s and it just works.

And don't even compare Palo Alto the the Cisco.  You are better off with Cisco in my opinion.
0
 

Author Comment

by:rtomasik
ID: 40535875
Ok. I'll have to try. Thanks.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40539762
Jan is correct, its quite common to have different subnet ranges outside of your firewall, the onus is on the ISP you get those subnets routed to YOU, not on you to route back to them :)
Cisco ASA 5500 - Adding New 'Different Range' Public IP Addresses


Pete
0
 

Author Comment

by:rtomasik
ID: 40540014
I appreciate the information. Unfortunately I won't be able to completely test this in the immediate future so I will be closing this question and accepting the solution. It the need arises again I will ask again. Thanks to both.
0
 

Author Closing Comment

by:rtomasik
ID: 40540017
I gave this rating only since I will not be able to test this solution in the immediate future.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question