ASA 5505 Multiple WAN 1

[jreidson]

Hello,

I am trying to configure my ASA 5505 with multiple WAN addresses and am experiencing a problem. My ISP requires that each of the 5 statically assigned IP's I have be bound to a specific MAC, so I can't add them all to one interface. The issue is that they are all on the same network, so I get an overlapping subnet error when I try to add the IP's to different VLAN's. Any suggestions would be appreciated.

Thanks

 

[unclerico]

The first quesiton is why do you need to give the ASA 5 IP's??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jreidson]

Hi, one IP is our public web site, another for FTP, and the third is for Exchange. We are currently not using the other two. The existing SOHO routers forward HTTP traffic from one public IP to an IIS box and the same holds true for Exchange.

Thanks

 

[unclerico]

You don't need to assign the interface multiple IP addresses. You simply give an IP to the outside (or whatever you decide to name it) interface and then in the configuration create static NAT entries with corresponding ACL's. Here's an example. Say you have been assigned 1.1.1.0/29 by your ISP. 1.1.1.1 is your ISP gateway, 1.1.1.2 is the IP you assigned to your outside interface on your ASA. That leaves you with 3 - 6 to use for other services; .3 is for ftp, .4 is for www, and .5 is for smtp. You would do something like this:

interface vlan2
  ip address 1.1.1.2 255.255.255.248
  nameif outside
  security-level 0

interface vlan1
  ip address 192.168.0.1 255.255.255.0
  nameif inside
  security-level 100

interface ethernet0
  switchport access vlan 2

access-list outside_access_in extended permit tcp any 1.1.1.3 eq ftp
access-list outside_access_in extended permit tcp any 1.1.1.4 eq www
access-list outside_access_in extended permit tcp any 1.1.1.5 eq smtp

static (inside,outside) 1.1.1.3 192.168.0.3 netmask 255.255.255.255
static (inside,outside) 1.1.1.4 192.168.0.4 netmask 255.255.255.255
static (inside,outside) 1.1.1.5 192.168.0.5 netmask 255.255.255.255

access-group outside_access_in in interface outside

you could also alter it to use PAT and preserve IP addresses like so:

access-list outside_access_in extended permit tcp any 1.1.1.3 eq ftp
access-list outside_access_in extended permit tcp any 1.1.1.3 eq www
access-list outside_access_in extended permit tcp any 1.1.1.3 eq smtp

static (inside,outside) tcp 1.1.1.3 ftp 192.168.0.3 ftp netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.3 [URL unfurl="true"]www 192.168.0.4[/URL] w[URL unfurl="true"]www netmask[/URL] 255.255.255.255
static (inside,outside) tcp 1.1.1.3 smtp 192.168.0.5 smtp netmask 255.255.255.255

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jreidson]

Thanks, I will try this tonight. This was the vlan configuration I was attempting that was causing the subnet error:


interface vlan1
ip address 10.1.2.1 255.255.255.0
nameif inside
security-level 100

interface vlan101
ip address 1.1.1.2 255.255.255.128
mac-address 000A.000B.5ABD
nameif wan1
security-level 0

interface vlan102
ip address 1.1.1.3 255.255.255.128
mac-address 000A.000B.5ABC
nameif wan2
security-level 0

 

[North323]

i see stars for unclerico!

 

[jreidson]

Unfortunately, I don’t this config is going to quite work for me. I need to be able to clone the MAC and the only way I know to do that is from within the interface config.

 

[unclerico]

But why?? Why do you need to clone the MAC?? I am missing something here. I realize that your ISP requires the connection to come from a particular MAC and in the config above all connections will.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jreidson]

Our ISP uses the MAC as security, so the public IP's have to each be associated with a MAC on the WAN side.

 

[HairySupportMonkey]

surely you would just make a nat rule from <your external IP> <--> <your internal IP> and then an access rule to allow the traffic?

which is what has been said anyway ;-)

 

[jreidson]

as i've stated in the first post...my isp use mac/ip security...so the mac address needs to match a specific ip address (ONE TO ONE map!). if i want to have multiple ip's, they each need to show as if they have come from a specific mac address...or each "wan port" needs to have a seperate ip/mac on a lesser secure "outside" network

@HairySupportMonkey
so if i make what you have said as a "nat rule",...i'm assuming you mean a static mapping,...that his would tell the asa to attach a specific mac address ? that doesn't sound right.

i can change a mac address in the interface command of a vlan on the asa...but it only allows you to have 1 wan address on an outside interface that is in the same network...

the example i have given above does not work ...the asa gives an error that says it's invalid to have the addressed on the same network.

 

[unclerico]

ok, have you even TRIED to apply the suggested configuration above??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jreidson]

I did and not to my surprise, I have no Internet access because the MAC address must be tied to each public IP. Where in your example did you explain how I can specify the MAC? I don’t know how else to describe my situation and appreciate the help, but there has to be a 1 to 1 relationship between a specified MAC and the corresponding IP. I am going try configuring the router in context mode, although it will be more trouble to maintain the separate firewall policies.

 

[HairySupportMonkey]

why dont you get your ISP to tie the MAC of the router to your connection? sureley they would allow multiple IPs to map to the same MAC?

sounds like a crap ISP to me? change it.... that will fix your problem!!!!