5

I have a Cisco ASA 5505 running 8.3.1 software. I've setup my VLANs, and I have a block of static IP addresses. One IP address is set as the 'outside' interface IP address, and I have a static route for internet access. I also have NAT between the inside and outside interfaces.

The problem is that I have a DMZ VLAN which I want to use, and have all servers on that VLAN use a different IP address for both inbound and outbound traffic. I followed the instructions on this post from the Cisco forums, but I cannot route traffic.

https://supportforums.cisco.com/discussion/11687031/cisco-asa-5505-multiple-outside-statics-ip

object network dmz subnet 192.168.1.0 255.255.255.0 nat (guest,outside) dynamic 155.1.1.2

After running this command, and checking the NAT rules on ASDM, it creates the same NAT rule as the 'inside' interface, except the translated source is the secondary IP address. The problem is it does not route traffic to the Internet. If I change the translated source to 'outside', it routes, but the outgoing IP address is the same as all other VLANs.

I think I may need to add another static route or some type of double NAT rule; I'm not sure. Any help would be greatly appreciated.

My entire configuration is below, and here are some areas that I've been playing around with:

  • I think I may need a static route here, using the secondary IP address, but I can only create routes for an interface. The x.x.x.x is the gateway for my static IP address block.

    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

  • When I followed the instructions in the link above, it created another object (just noticed). I think the duplicate object (overlap) may be causing an issue.

    object network dmz nat (dmz,outside) dynamic x.x.x.x

Configuration:

: Saved : ASA Version 8.3(1) ! hostname xxxxxxxxxx enable password xxxxxxxxxx encrypted passwd xxxxxxxxxx encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.x 255.255.255.0 ! interface Vlan3 nameif dmz security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa831-k8.bin ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 same-security-traffic permit inter-interface object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network dmz subnet 192.168.2.0 255.255.255.0 access-list inside_access_in extended permit ip any any pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-645.bin no asdm history enable arp timeout 14400 ! object network obj-192.168.1.0 nat (inside,outside) dynamic interface object network dmz nat (dmz,outside) dynamic x.x.x.x access-group inside_access_in in interface inside control-plane route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.10 inside dhcpd enable inside ! dhcpd address 192.168.2.10-192.168.2.20 dmz dhcpd dns 8.8.8.8 interface dmz dhcpd enable dmz !
Improve this question
2
  • 1
    Can you show more of your config? Commented Jun 27, 2014 at 9:41
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could post and accept your own answer. Commented Jan 5, 2021 at 19:33

1 Answer 1

Reset to default
2

This is an old question, but I recently ran into this same issue, and after some trial and error, I was able to come up with a solution. The following applies to ASA Version 9.1. I have two VLANs on our network: one for PCs, and one for VoIP. I wanted the VoIP VLAN to use its own outside address, separate from the outside address used by the PCs. Here's what the configuration ended up looking like (IP addresses have been obfuscated slightly). These are only the pertinent parts of the configuration, not a complete dump:

: ASA Version 9.1(2) interface Ethernet0/0 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/6 switchport access vlan 50 ! interface Vlan1 nameif outside security-level 0 ip address 65.65.65.10 255.255.255.192 ! interface Vlan2 nameif net-inside security-level 100 ip address 10.1.10.1 255.255.248.0 ! interface Vlan50 nameif net-voip security-level 100 ip address 172.16.0.1 255.255.255.0 ! object network net-voip subnet 172.16.0.0 255.255.255.0 nat (net-voip,outside) dynamic 65.65.65.20 ! nat (net-inside,outside) after-auto source dynamic any interface ! dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd address 172.16.0.100-172.16.0.127 net-voip dhcpd dns 8.8.8.8 interface net-voip dhcpd enable net-voip

I also included the part of my configuration which sets up DHCP on the VoIP VLAN for the phones. One snag I ran into (which should've been obvious in retrospect), the net-voip VLAN needs to have a security level higher than the outside VLAN, otherwise it won't be allowed out.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.