IP Routing Cisco ASA

I am using a Cisco ASA 5505 Sec Plus Version 8.2 (5). My ISP has provided me with two subnets. The first is a WAN /30 which provides the peering between my ISP and the outside interface attached to the ISP handoff. The second IP subnet is a LAN subnet. A publicly routed /28. I have assigned the single usable IP from the /30 to the outside interface of my ASA to access the internet. I am able to route the /28 as needed through ACL's and NATs. I am installing a hosted VoIP system that needs to assign one of the IPs from my /28 to it's WAN interface. Normally I would just use a layer 2 switch and set this device up parallel to my ASA. Since everything is behind the /30 however, this is not possible. I must place the VoIP device behind my ASA. So I need to route incoming traffic being sent to a specific IP in my /28 block to the VoIP device behind my ASA. Let me know if additional details are needed. Thanks.
Matthew GalianoCTOAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

thebigmammalDirector of ITCommented:
If I understand the question correctly you have a few options to troubleshoot, setup, and control this particular issue.

1. Syslog - holds the answer since no other devices are involved as its a real-time traffic monitor via ASDM.  I'd show the access-list matches to see what ACLs are getting most hit, this could also reveal a trouble ACL.
2. ACLs - you may have locked down your security to block such traffic.
3. Routing - is the phone static of dynamic DHCP? I like to route phones directly to providers to avoid hacking/fraud issues.

Your Answer will lie in the syslog capture.  Watch the capture and plug the phone in and watch the traffic "fail" - I don't have an ASA handy to show screenshots and setup and example for you.  An example of a similar situation is provided below although it did involve a switch between phone and ASA. But routing the phones below was done all layer 3 instead of 2 per your particular issue.

An example of myself having to accomplish the same objective - is a client had an unstable cable internet, we used a major external VoIP vendor, as the cable was unstable enough for calls to drop. So within the environment all IPs on a specific VLAN I routed out a different gateway-of-last-resort (A very stable older 5Mps/5Mps DSL line) to be pushed out and allowed only to the vendors owned IP block(s).  This way all traffic except phones went out the cable, and the phones were forced out the DSL only to the VoIP providers owned IP blocks only.  This was more stable, and more secure as the traffic is essentially implicitly restricted. This was all done via a 5520 (5505's big brother) no special ACLs required although you could do it with ACLs, I just found routing it easier.

Hope this helps - if/when I pull out my old 5505 I'll try to provide screenshots both ASDM and CLI when possible show what and where to apply these changes - perhaps these suggestions help point you in the right direction.
JustInCaseCommented:
Let me try to simplify situation, reducing problem to what you are already familiar with.
If you would add L3 switch in front of ASA, configured it as:

ip routing
!
! uplink to ISP (ip address x.x.x.1/30) (could also be SVI for vlan X and assign access port to it)
!
interface gi0/1
 no switchport
 ip address x.x.x.2 255.255.255.252
 no shut
!
vlan 10
 name MyPublicIPspace
!
interface vlan 10
 ip address y.y.y.1 255.255.255.240
!
interface range gi0/2-16
 switchport
 switchport mode access
 switchport access vlan 10
!
ip route 0.0.0.0 0.0.0.0 x.x.x.1

Open in new window

This way you reduced problem to what you already know. This is exactly the same  with situation where you have ISP's router connected to L2 switch. Address y.y.y.y.1/28 is in this case equivalent to ISP's router IP address. You know how to deal with this. :)

There is also possibility to permit traffic to your public IP address space on ASA's untrusted interface and not to NAT traffic on ASA but on downstream devices.
Matthew GalianoCTOAuthor Commented:
Just to clarify, the device is a router (Edgewater) from my hosted VoIP provider. I have assigned this router a public IP from the /28 and have placed it behind my ASA. I have the Wan1 port plugged into port 6 on my ASA. I need route traffic from my ISP through the ASA VLan I created to the router.
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Matthew GalianoCTOAuthor Commented:
interface Vlan5
 nameif VoIP
 security-level 0
 ip address X.X.X.2 255.255.255.240

interface Ethernet0/6
 switchport access vlan 5

My initial though was a static route:

route VoIP 0.0.0.0 0.0.0.0 X.X.X.1 1

However, I already have a static route on my outside interface to the /30 gateway.

The ASA does not support simultaneous routes with the same priority.
Matthew GalianoCTOAuthor Commented:
The router from my hosted VoIP provider has been assigned X.X.X.3/28.
Matthew GalianoCTOAuthor Commented:
Predrag Jovic I took your suggestion using the ASA as the L3 switch. Did not work. Not sure if I need an ACL, a PAT or a static route.
JustInCaseCommented:
I hope topology drawing with suggestions will be helpful.
L3 switch design
If all traffic on ASA from inside networks is natted, than there is no need for additional routes on L3 switch (ip routing must be enabled on L3 switch).

Of course natting is performed to IP addresses from your /28 IP address range.
Matthew GalianoCTOAuthor Commented:
Thanks, but I am not looking to introduce additional hardware. I am not concerned about any inside networks either. I am trying to route traffic on a specific /28 IP through port 6 on my ASA to a device behind the ASA, plugged directly into port 6.
JustInCaseCommented:
Unfortunately I am not ASA expert I always struggle with ASAs. I wouldn't know how to configure this without try and error approach. For complex ASA configuration I am not great help.
Ken BooneNetwork ConsultantCommented:
Ok so normally this is where a lot of folks get confused with the ISP to ASA handoff with multiple subnet thing.

The /30 is a throwback to the old days of leased lines.  In the old days, you would have a point to point circuit between the ISP and the customer ROUTER.  The router was needed to terminate the circuit.  The /30 public IP address was used on the end points on this leased line point to point circuit.  The LAN side of the router was connected to the firewall using the second routable subnet.  So this second routable subnet was attached to the Outside interface of the ASA.

Fast forward to today.  Now the circuit is ethernet and goes directly to ASA or firewall and there is no need for a router in many cases.  There is no longer a need for both subnets howbeit, some ISPs still stick with this model.

So if you are forced to use this model, then the /30 will go on the outside interface.  You will not configure an IP address from the second subnet on an interface on your ASA.

The inside interface will have a private address space assigned.  Now normal setup is that the private addresses behind the ASA will NAT to the /30 on the outside interface when going out.

Now the /28 is another public address space that you can use for NAT.  You don't need to assign it to any interface per se.  You simply set up your nat rules to nat to this address space.

So in your example you would put a private address on your VOIP pbx and then you would have  a nat rule in your ASA that would nat the private address from the PBX to a public address in the /28 subnet on the outside.

Everything will work just fine, because the ISP is routing everything destined for the /28 subnet to the /30 address on the outside of your ASA.  Because you built the NAT and bound it between the inside and outside interfaces, the ASA knows how to handle the requests being nat'd to the /28.

If you wanted to you could even have an inside and a dmz with private addresses, and put the pbx in a dmz.  Don't know all of your requirements here.. and you can even set up NAT rules between the dmz and the /28 address space bound to the outside.

Basically you can use that /28 as if it really belongs on the outside interface although you don't configure it on the outside interface, you just program the nat rules accordingly.

Hope that helps.
Matthew GalianoCTOAuthor Commented:
The VoIP server needs a /28 IP assigned to a physical WAN port. That is my problem. NAT won't work, otherwise this wouldn't be an issue.
Ken BooneNetwork ConsultantCommented:
OK now I understand.  In that case, you have two options.

#1 - go back to your ISP and tell them you don't need a /30 and that you only want to use the /28 on your circuit.  So they will need to reconfigure to use that /28 on the uplink which will then allow you to run in parallel with your ASA.

#2 - Set up ASA as needed which I think is what you are trying to accomplish.

So I would have an ASA with 3 layer interfaces.

#1 - outside on /30
#2 - inside on private /24
#3 - PBX setup on /28

ASA will have one default route configured pointing at the /30 address on the other side of the link,
ASA does not need routes configured for the /28 because it will be directly attached to that network and will know how to route to it.
Since you are running this on a 5505 all of the interfaces are VLAN based interfaces,  setup port 6 to belong to the VLAN you assigned to #3 above.  
The PBX will have an address on its WAN interface out of the /28 space and it will have a default gateway of the /28 address that was assigned on interface #3 above.

You will configure your nat rules so that nothing will be natted when traffic flows from interface #3 to interface #1.  Since you are running old 8.2 code, it is pretty easy to do this.  

Does that make sense?
Matthew GalianoCTOAuthor Commented:
Yes. Right now I have everything setup as specified. Port 6 of the ASA is assigned with the IP of the default gateway from the /28. The VoIP server is assigned with a usable IP from the /28. I am just not sure what NAT rules I need.
Matthew GalianoCTOAuthor Commented:
Should I be assigning Port 6 with the default gateway from the /28 or another usable IP from the /28 block? Does it matter?
arnoldCommented:
The setup they are providing to you is fine, you have to manage the LAN side /28 by adding them internally on the ASA as suggested.
the  /30 is the WAN interface for the router while the /28 are the LAN ip.
This seems as a T1 type of connection where the provider allocates a LAN of 16 IPs to the Connection identified by the /30

on the ASA add a virtual router for the /28 segment.

ISP <=> ASA WAN side /30 you

Another option, you can use your edgewater router to terminate the ISP /30 connection, then take one of the /28 and assign to your VOIp related equipment, while the remaining are passed to the ASA.
Ken BooneNetwork ConsultantCommented:
So port 6 is just a layer 2 port on the pbx vlan.   You create a layer 3 vlan interface for the pbx vlan which is what I referred to as interface #3.  So you have a logical VLAN layer 3 interface that will have a /28 address on it.  Whatever address you put on the layer 3 vlan interface for the PBX vlan, will need to be what you will configure as the default gateway on the PBX device itself.
Ken BooneNetwork ConsultantCommented:
Ok to help you with the NAT stuff.. Can you post the lines of your config that have the global statements and nat statements and also post your interface configs?  Feel free to sanitize as you wish.
Matthew GalianoCTOAuthor Commented:
interface Vlan5
 nameif VoIP
 security-level 0
 ip address X.X.X.2 255.255.255.240

interface Ethernet0/6
 switchport access vlan 5

This is that I have so far.

X.X.X.2/28 is the default gateway of the /28 assigned by the ISP. X.X.X.2/28 is also assigned as the default gateway of the PBX device.

Will that work or do I need to use an IP from the routable block? X.X.X.3 - X.X.X.15?

WAN1 port of the PBX is currently assigned X.X.X.3/28.

I do not have any NAT rules yet. What would the ACL look like?

Assuming I need something like:

nat (VoIP) 0 access-list nonat
Ken BooneNetwork ConsultantCommented:
Ok so a couple of things.  This is what I would do:

on interface vlan5, make the security level 10

I think in your case you don't want to use the nat 0 option because we are dealing with outbound and inbound originating traffic.
On that version of code in order for something on a higher level interface (outsdie=100) to a lower level interface (voip=10) you need to have an ACL on the outside interface to define what traffic can come in and you have to have a static nat command.

So the static nat command would look like this:

static (VoIP,outside) x.x.x.3 x.x.x.3 netmask 255.255.255.255

That command basically says this address will look the same when traffic is flowing between the voip and outside interface.  It also works for traffic going in either direction.

The next step is then to create an ACL that is applied to your outside interface that defines what traffic is allowed to come inbound towards the pbx server.
Matthew GalianoCTOAuthor Commented:
My outside interface security level is 0, just FYI.
Ken BooneNetwork ConsultantCommented:
That is correct.  My mistake in the last description.  Outside should be 0 and inside should be 100.  I wrote that all backwards.. Dslexic thinking...
Matthew GalianoCTOAuthor Commented:
Ok, still make VoIP 10?
Ken BooneNetwork ConsultantCommented:
yep
Matthew GalianoCTOAuthor Commented:
I added the following but still cannot ping.


interface Vlan5
 nameif VoIP
 security-level 10
 ip address X.X.X.2 255.255.255.240

access-list outside_access_in extended permit ip any host X.X.X.3

static (VoIP,outside)  X.X.X.3 X.X.X.3 netmask 255.255.255.255

access-group outside_access_in in interface outside
Ken BooneNetwork ConsultantCommented:
So do you have a global policy configured at the bottom of your configuration?  Turn on icmp inspection.  What are you pinging to and from?
Thanks,
Matthew GalianoCTOAuthor Commented:
No global policy. I am trying to ping X.X.X.3 from the VoIP interface.

I am able to ping the outside interface across the internet.
Ken BooneNetwork ConsultantCommented:
So you are trying to ping the VOIP box from the ASA.

issue this command:

show run | i icmp

and let me see the output.

You might not have icmp allowed on that interface by default.
Matthew GalianoCTOAuthor Commented:
I added icmp permit any VoIP.

Still no good.
Ken BooneNetwork ConsultantCommented:
Ok so lets start with some basics.. I think you said you plugged the voip box into port 6.  Is port 6 configured for vlan 5?

If you issue a show interface command does it show that the interface is up?

If all that looks good.  Configure another port in vlan 5 and put a laptop on it and use an address out of the /28 subnet.  Can you ping the .2 address from the laptop?
Craig BeckCommented:
Just wondering... Why does the box NEED a public IP on its WAN port?
arnoldCommented:
The common peer to peer setup is using a /30
3.4.5.0/30
3.4.5.1 is the IP on the ISP side
3.4.5.2 is the wan IP in the client side with the 3.4.5.1 as the default gateway and the 3.4.5.3 as the broadcast IP.
On the ISP side, they have a
A.b.c.d/28 pointing to 3.4.5,2

presumably, you do not want your VOIP to go through your ASA, or you have to disable the ALG or your VoIP calls will suffer.

Using a multi-port router,medgewater,
The /30 will be on the WAN, outside, one port allocated as a public IP to the  PBX, or you can use the edge water with NAT to the pbx, the other public LAN IPs you can pass to the ASA for its LAN public wan side, with the ASA lan natted ......
The access to e public LAN I
S will pass through without impediment...
Matthew GalianoCTOAuthor Commented:
As stated previously, I do not want to add additional hardware. The VoIP device (Edgewater) needs a public IP assigned to the Wan1 interface because it is a cloud based VoIP solution.
Matthew GalianoCTOAuthor Commented:
Ken, I am going to give your scenario a shot.
Craig BeckCommented:
If you don't want to use a switch outside the ASA you'll have to pass traffic through the firewall, so why not just 1:1 NAT and stick a private IP on the box?
Matthew GalianoCTOAuthor Commented:
From the cloud VoIP provider:

We cannot NAT the edgewater.
The edgewater NATs the voice traffic and if it gets NAT translated, then you have a double NAT.

This rips down SIP headers and destroys voice quality
arnoldCommented:
You have ISP feed <=> edgewater router, what IP does it use, the /30 or the /28?
the ISP usually provides a router
ISP feed <=> WAN/30 router /28 LAN <=> switch  
from the above
            /          Edgewater using a /28 iP allocating NAt to phones
Switch
            \ ASA getting the remaining /28IPS

Please clarify your setup.

If your ISP terminates on the ASA using the /30 IP you mearly need to add the /28 network the to ASA and bring up the /28 IPs....as needed, after passing one of the /28 to the edgewater while disabling the ALG, sip inspection, h.323, voip traffic as that will break the voice...
Matthew GalianoCTOAuthor Commented:
/30 is assigned to the outside interface of the ASA. Read the entire post. I have made my setup very clear.
arnoldCommented:
You then need to add the /28 to an interface on the ASA
x.x.x.a/28 as a VLAN
tag an interface to which you connect the edgewater and assign it to this VLAN so it can bring up a /28 IP with the default gateway of x.x.x.a

Then you can do whatever else you are doing.

The design of the /30 WAN and /28 LAN is a point to point setup where the main connection from the ISP terminates on a router that than passes the LAN ips to the device/devices behind it.
Matthew GalianoCTOAuthor Commented:
Yes, that is exactly what I am trying to do, but I am not having success.
arnoldCommented:
your ASA effectively functions as a Router.
the common configuration is to have the ASA get a public IP and then NAT the devices behind it in the scenario you are dealsing with
the ASA gets a WAN IP /30 which uses the other /30 as the default gateway.
you then can bring up the LAN /28 ips as a virtual router within the ASA to allow for passing the /28 public IP to the edgewater.

The other option, alter the path since you do not want the VOIP traffic passing through the ASA
ISP <=> EDGEWATER /30 IP for WAN, and NAT the port that you assign to the phones.
             port 2 you pass the LAN to the ASA.

the phones will be connecting to the provider from the /30 IP
the ASA will be able to bring UP any of the LAN /28 ips while the Edgewater will have the /28 default gateway.
Craig BeckCommented:
All this should be simple. What license do you have on the ASA?

The 5505 usually only supports 2 VLANs; inside and outside so ordinarily unless you config the inside VLAN with your /28 it won't work. If you have the security plus license you can config a DMZ VLAN and put the /28 there, and connect your SIP box to it.
Ken BooneNetwork ConsultantCommented:
He said he has  sec plus on it.
Matthew GalianoCTOAuthor Commented:
Yes security plus.

Config looks like this:

interface Vlan5
 nameif VoIP
 security-level 0
 ip address X.X.X.2 255.255.255.240

interface Ethernet0/6
 switchport access vlan 5

This is that I have so far.

X.X.X.2/28 is the default gateway of the /28 assigned by the ISP. X.X.X.2/28 is also assigned as the default gateway of the PBX device.

Will that work or do I need to use an IP from the routable block? X.X.X.3 - X.X.X.15?

WAN1 port of the PBX is currently assigned X.X.X.3/28.


access-list outside_access_in extended permit ip any host X.X.X.3

static (VoIP,outside)  X.X.X.3 X.X.X.3 netmask 255.255.255.255

access-group outside_access_in in interface outside

Unable to ping X.X.X.3 from Vlan 5 (Port 6)
Craig BeckCommented:
You've got a NAT configured for the box. I thought you said you couldn't do double-NAT?

Do a packet tracer from the ASA to see if it allows traffic to .3.

Also you have set the security level to 0.  If the outside is set to 0 and you don't allow traffic to pass between interfaces with the same security level it won't work.
arnoldCommented:
lets say you have the following /28 segment
x.12.34.0/28

The ASA MUST have and function as the default gateway for all other IPs on this /28 segment, so when you set your AWA voipvlan as x.12.34.2/28
ALL devices, that are part of this VLAN must use the x.12.34.2 as their DEFAULT GATEWAY.

When the packet from x.12.34.3 hits the x.12.34.2 it will be rerouted out since the /30 is set as the default gateway out of the ASA and to the ISP ..

In your scenario you will define an IP for VLAN5 in the definition of the VLAN, and not attach the IP to the interface.
you can make the interface

i can  not believe that an ISP that dropped a peer to peer feed, did not include a router on which this peer to peer connection can terminate.
 

you have too look at what you are working with an what it is you are trying to do.
Ken BooneNetwork ConsultantCommented:
Let's get to the point where the edgewater on .3 can ping the asa on .2.  Then we can go from there.

Right now port 6 which is on vlan 5 which has a layer 3 interface of .2 is fine.  On port 6 you have the outside of the edgewater connected and you have it configured as .3.  That is fine.  But you said you cannot ping between these two devices.  We need to fix that issue before we go any further.

Setup another port on the ASA also on vlan 5.  Assign your laptop an address of .4 with a default gateway of .2 on that network.  Can you ping the ASA from your laptop?

Let's start there.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
could you post the config you have?

Usually in this type of scenario, the VLAN configured with an IP, the Interface is merely joined to the VLAN functionally behaving as connected to a switch.

This way you can assign multiple devices to the VLAN 5 and configuring each with a Public IP from the /28 where the assignment of the IP to the Interface VLAN prevents that as new interface will not have a /28 IP ....


Did the ISP provider offer you the optioin/provide you with a router, and you are elected not to use it?
Craig BeckCommented:
OP already posted. It should work with the recommendations I made.
Matthew GalianoCTOAuthor Commented:
I declined the managed router because I did not anticipate this adding this type of service. Usually I just setup NAT rules for everything I host. I am going to setup the laptop and assign it a /28 address. Will report back.
arnoldCommented:
te illustration posted and other comments if used, should work.

It is unclear what you are seeing.

The /28 except for the two first and last IP must be used, I.e. One of these IPs in your case .2 is the default gateway for all /28 1,3,4,5,6,7,8,9,10.11.12.13.14
Craig BeckCommented:
Really, there's no reason why you can't double-NAT. It will work; providers just don't like it as it is harder to support.
Matthew GalianoCTOAuthor Commented:
Will have another update next week. I am going back onsite.
Matthew GalianoCTOAuthor Commented:
Connected laptop and was able to ping fine. Reset VoIP router and reassigned IPs. Issue resolved.
Craig BeckCommented:
How is the selected comment "the answer" to this question?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.