• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 159
  • Last Modified:

New block of IP addresses - what to do with CISCOASA 5515

Hello,

Recently we just received a new block of IP addresses from our ISP.  the ISP made the IP addresses available on the same interface that our other block on IP addresses are on but I am wondering what do I need to do on the firewall to make the new IPs useable.

I'm familiar with the ASA but stuff liek this I don't usually come across so if I can get some instructions on what I need to do that would be great. thanks!
0
EA-170
Asked:
EA-170
  • 6
  • 5
1 Solution
 
szichenCommented:
Your ISP will route the new block of addresses over the current link that will come through the public IP address setup on the existing interface.
If you understand how NAT-ing works then all you need to do to make use of those public IPs is declare the new block of addresses in the network objects and add these to existing natting rules.
If the new block is for a new service on a new interface (on a new LAN) then a new NAT rule needs to be created for that new Interface and NATed to the new declared network objects for new block of public IP addresses.

If you are not sure, test the NAT rule on an unused Interface for Internet connection and check your IP once you get connectivity. Go to google and type "My IP". you should see an IP address that is from the new block the ISP gave you.

NOTE:
- The source interface is the Interface the traffic is coming from Internally
- The destination Interface is the existing Interface which has your old Public IP
- The translated address will be the new Public IP declared in the Network Objects.
0
 
EA-170Author Commented:
I should clarify - these new IPs are additional IPs to what we already have not for a new interface or service.  
So it is our existing ISP service and we still have the same original public IPs xxx.xxx.123.123-142 but then they gave us an additional 5 IP addresses xxx.xxx.124.123-128 but not contiguous to our original IPs but on the same interface.

So I created a network object for the internal server and setup a NAT to xxx.xxx.124.123

So do I just need to add another another static route on the outside interface to include the new gateway for the new range of IP addresses: xxx.xxx.124.122 which is the gateway IP?
So there is one setup already on the outside interface to the original gateway of xxx.xxx.123.122 with a metric of 1.
0
 
ffleismaSenior Network EngineerCommented:
I'll just add to further illustrate:
network diagram
The key here is that the upstream router is already routing the new IP/subnets towards your ASA. You don't need to reconfigure the outside interface or use the new IP on the existing outside interface or add a new interface. Also, you dont need to configure another default route.
you would configure static NAT normally as you would as illustrated in the example below
object network OBJECT_INTERNAL_192.168.1.100
 host 192.168.1.100
!
object network OBJECT_INTERNAL_192.168.1.200
 host 192.168.1.200
!
object network OBJECT_EXTERNAL_xxx.xxx.123.124
 host xxx.xxx.123.124
!
object network OBJECT_EXTERNAL_xxx.xxx.124.124
 host xxx.xxx.124.124
!
!
nat (inside,outside) 1 source static OBJECT_INTERNAL_192.168.1.100 OBJECT_EXTERNAL_xxx.xxx.123.124
nat (inside,outside) 2 source static OBJECT_INTERNAL_192.168.1.200 OBJECT_EXTERNAL_xxx.xxx.124.124

OR if you are using object nat commands

object network OBJECT_INTERNAL_192.168.1.100
 host 192.168.1.100
!
object network OBJECT_INTERNAL_192.168.1.100
 nat (inside,outside) static xxx.xxx.123.124
!
!
!
!
object network OBJECT_INTERNAL_192.168.1.200
 host 192.168.1.200
!
object network OBJECT_INTERNAL_192.168.1.200
 nat (inside,outside) static xxx.xxx.124.124

Open in new window

It seem awkward looking at first, but that is the setup when ISP has provided you another subnet. The important take is that the upstream router is sending packets towards your ASA for the new IP/subnet range. The ASA then process those packets by doing un-NAT then apply ACL policy. Hope this helps and if you have further questions, just let me know and I'll be glad to help you out.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
szichenCommented:
The new block of IPs are already routed over the existing ISP link.
No need to add any route and you didn't need to create a network object for the internal server.

Since this is for existing services and nothing new then all you need to do is NAT translate to the new block of IPs.
0
 
EA-170Author Commented:
Thanks for both your replies and I guess what I find confusing that that I did create the NAT but the ISP is saying they are not detecting any traffic over the new gateway for the new block of IP addresses.  Which I am not sure how to troubleshoot to verify their claim.
0
 
szichenCommented:
You can test the NAT yourself by using a spare network Interface. NAT from the spare Interface to just one of the new public IPs rather than an entire block. Use static NAT.
- The destination Interface will be the existing Interface which has your existing Public IP
- The translated address will be the new Public IP declared in the Network Objects. Ensure you declare the new public IP you are testing. e.g. xxx.xxx.124.125
- The source interface is the spare Interface you are testing with. (e.g. 192.168.100.254 /24)

Once you've set this up:
1. Hook up the spare Interface to a switch

2. Take a spare laptop and plug it into the switch
  - IP e.g: 192.168.100.1
  - Mask 255.255.255.0
  - Gateway: 192.168.100.254
  - DNS 8.8.8.8

3. Create the access rule for incoming traffic to 192.168.100.0

4. Test Internet (Configure your browser to automatic detection if needed)

5. If Internet works then go to Google and type "My IP". It should show you the new public IP you are NAT-ing to.


If you manage to make the above work, you will be able to figure out the NAT rules for your existing network. Basically, you want to NAT to the new range of addresses using the old existing NAT rule that NAT's to the the old block. The old existing NAT rule should include the new block that should be declared in the the Network Objects.

Hope this helps.
0
 
EA-170Author Commented:
Hi Szichen,

Thanks for the followup response.  Since this firewall is at a co-location facility I am going to have schedule a trip out there but in the meantime I was re-reading you post and notice your comment about NAT translating the new block of IPs.  I pretty much work out of the ASDM so just curious how I would go about doing the NAT translating the new block as I think that might be my issue...
0
 
EA-170Author Commented:
I should clarify that last statement that we already have a network ojbect outside network with our existing range of IPs.  do I modify that object to include the new range of IPs or do I create a new network ojbect with the new range and use that in the access rule/NAT rule for the internal server?
0
 
szichenCommented:
Hi EA-170,

Yes, I actually meant for you to do it this way i.e. delare the new range of IPs in the existing range - sorry if it wasn't clear. The testing bit is good to understand how the NAT-ing works.
Once you declare the new IPs in the existing range on the NAT rule and "Apply" the changes, there is nothing else that needs to be done.

Sorry forgot to ask if you still need to know how to make changes to the NAT rule through ASDM? Just look for an existing NAT rule with the the public IP range and add the new bloc to that range.
0
 
EA-170Author Commented:
sorry for the late follow-up but had another network admin take a look and he found an issue with the ASA not set to route traffic to additional IPs on the same interface.  I forgot the specific term used but since that was essentially blocking traffic my NAT rules I setup were working but traffic wasn't being sent.
0
 
szichenCommented:
Great! Thanks for the feedback.
0
 
EA-170Author Commented:
was able to resolve the issue from another source.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now