I have a Cisco ASA 5505 running 8.3.1 software. I've setup my VLANs, and I have a block of static IP addresses. One IP address is set as the 'outside' interface IP address, and I have a static route for internet access. I also have NAT between the inside and outside interfaces.
The problem is that I have a DMZ VLAN which I want to use, and have all servers on that VLAN use a different IP address for both inbound and outbound traffic. I followed the instructions on this post from the Cisco forums, but I cannot route traffic.
https://supportforums.cisco.com/discussion/11687031/cisco-asa-5505-multiple-outside-statics-ip
object network dmz
subnet 192.168.1.0 255.255.255.0
nat (guest,outside) dynamic 155.1.1.2
After running this command, and checking the NAT rules on ASDM, it creates the same NAT rule as the 'inside' interface, except the translated source is the secondary IP address. The problem is it does not route traffic to the Internet. If I change the translated source to 'outside', it routes, but the outgoing IP address is the same as all other VLANs.
I think I may need to add another static route or some type of double NAT rule; I'm not sure. Any help would be greatly appreciated.
My entire configuration is below, and here are some areas that I've been playing around with:
-
I think I may need a static route here, using the secondary IP
address, but I can only create routes for an interface. The x.x.x.x
is the gateway for my static IP address block.route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
-
When I followed the instructions in the link above, it created
another object (just noticed). I think the duplicate object (overlap)
may be causing an issue.object network dmz nat (dmz,outside) dynamic x.x.x.x
Configuration:
: Saved
:
ASA Version 8.3(1)
!
hostname xxxxxxxxxx
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network dmz
subnet 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
!
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
object network dmz
nat (dmz,outside) dynamic x.x.x.x
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.10 inside
dhcpd enable inside
!
dhcpd address 192.168.2.10-192.168.2.20 dmz
dhcpd dns 8.8.8.8 interface dmz
dhcpd enable dmz
!
Best Answer
This is an old question, but I recently ran into this same issue, and after some trial and error, I was able to come up with a solution. The following applies to ASA Version 9.1. I have two VLANs on our network: one for PCs, and one for VoIP. I wanted the VoIP VLAN to use its own outside address, separate from the outside address used by the PCs. Here's what the configuration ended up looking like (IP addresses have been obfuscated slightly). These are only the pertinent parts of the configuration, not a complete dump:
I also included the part of my configuration which sets up DHCP on the VoIP VLAN for the phones. One snag I ran into (which should've been obvious in retrospect), the
net-voip
VLAN needs to have a security level higher than the outside VLAN, otherwise it won't be allowed out.