-3

We are attempting to use a Cisco ASA as a VPN as well as forward traffic to two servers.

Our ISP has given us a range of IP addresses that are sequential. 154.223.252.146-149 default GW of 154.223.252.145, we're using netmask 255.255.255.240

We have the first of these, 154.223.252.146, assigned to the external interface on our ASA and it’s successfully hosting our VPN service. It works great.

The next and final goal is to have 154.223.252.147 forward https traffic to 10.1.90.40 and 154.223.252.148 forward https traffic to 10.1.94.40.

Our current blocker is our inability to get the outside interface of the asa to respond to these ip addresses.

We’ve been able to use 154.223.252.146 to forward https traffic correctly. So we know that works.

I’ve plugged my laptop into the switch from our ISP and have successfully manually assigned 154.223.252.147 and 154.223.252.148 with the default gw of 154.223.252.145 and was happily connected. So we know the IP’s are there and available, we just need to convince the ASA to respond to them and use them to forward https.

We’ve tried plugging cables from the switch into other interfaces on the firewall. This failed because the netmask overlaps with our first outside interface 154.223.252.146 255.255.255.240, Cisco hates this and doesn’t allow it.

We’ve read documentation and have heard that it’s possible to assign a range of IPs to the ouside interface by defining a vlan. We do not know how to successfully make this work and out attempts have failed.

What's the best way to accomplish this configuration with a Cisco ASA?

EJW
  • 380
  • 2
  • 6

2 Answers2

0

You don't need to assign multiple IPs from the same range to more than one interface. That doesn't work with Cisco. Instead try a static one to one NAT for your Web server and terminate your VPN traffic on the IP address assigned to the interface.

Watch this video for one to one NAT:

https://www.youtube.com/watch?v=cNaEsZSsxcg

Dharman
  • 30,962
  • 25
  • 85
  • 135
William Shanaei
  • 1
  • 2
    The link is to one of your own videos. You **must explicitly** disclose that fact, or your post could be treated as spam. – Adrian Mole Sep 20 '21 at 15:55
-1

Cisco has an active scanning technology that was enabled on this ASA. We were able to diagnose it by intermittent bad behavior. After troubleshooting long enough we realized that some of the behavior couldn't be consistent with the changes we were making. So we started looking for things that the firewall would be trying to do by itself. That ended up helping us narrow it down. Disabling active scanning allowed our external vlan configurations to work. Now moving on to tightening up the configs.

EJW
  • 380
  • 2
  • 6