Vlan – ASA 5505 Assign Outbound IP to VLAN

cisco-asaipv4vlan

I have a Cisco ASA 5505 running 8.3.1 software. I've setup my VLANs, and I have a block of static IP addresses. One IP address is set as the 'outside' interface IP address, and I have a static route for internet access. I also have NAT between the inside and outside interfaces.

The problem is that I have a DMZ VLAN which I want to use, and have all servers on that VLAN use a different IP address for both inbound and outbound traffic. I followed the instructions on this post from the Cisco forums, but I cannot route traffic.

https://supportforums.cisco.com/discussion/11687031/cisco-asa-5505-multiple-outside-statics-ip

object network dmz
subnet 192.168.1.0 255.255.255.0
nat (guest,outside) dynamic 155.1.1.2

After running this command, and checking the NAT rules on ASDM, it creates the same NAT rule as the 'inside' interface, except the translated source is the secondary IP address. The problem is it does not route traffic to the Internet. If I change the translated source to 'outside', it routes, but the outgoing IP address is the same as all other VLANs.

I think I may need to add another static route or some type of double NAT rule; I'm not sure. Any help would be greatly appreciated.

My entire configuration is below, and here are some areas that I've been playing around with:

  • I think I may need a static route here, using the secondary IP
    address, but I can only create routes for an interface. The x.x.x.x
    is the gateway for my static IP address block.

    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

  • When I followed the instructions in the link above, it created
    another object (just noticed). I think the duplicate object (overlap)
    may be causing an issue.

    object network dmz
 nat (dmz,outside) dynamic x.x.x.x

Configuration:

: Saved
:
ASA Version 8.3(1) 
!
hostname xxxxxxxxxx
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0 
!
interface Vlan3
 nameif dmz
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj-192.168.1.0 
 subnet 192.168.1.0 255.255.255.0
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0 
 subnet 192.168.2.0 255.255.255.0
object network dmz
 subnet 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
!
object network obj-192.168.1.0
 nat (inside,outside) dynamic interface
object network dmz
 nat (dmz,outside) dynamic x.x.x.x
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.10 inside
dhcpd enable inside
!
dhcpd address 192.168.2.10-192.168.2.20 dmz
dhcpd dns 8.8.8.8 interface dmz
dhcpd enable dmz
!

Best Answer

This is an old question, but I recently ran into this same issue, and after some trial and error, I was able to come up with a solution. The following applies to ASA Version 9.1. I have two VLANs on our network: one for PCs, and one for VoIP. I wanted the VoIP VLAN to use its own outside address, separate from the outside address used by the PCs. Here's what the configuration ended up looking like (IP addresses have been obfuscated slightly). These are only the pertinent parts of the configuration, not a complete dump:

: ASA Version 9.1(2) 

interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/6
 switchport access vlan 50
!
interface Vlan1
  nameif outside
  security-level 0
  ip address 65.65.65.10 255.255.255.192 
!
interface Vlan2
 nameif net-inside
 security-level 100
 ip address 10.1.10.1 255.255.248.0 
!
interface Vlan50
 nameif net-voip
 security-level 100
 ip address 172.16.0.1 255.255.255.0 
!
object network net-voip
 subnet 172.16.0.0 255.255.255.0
 nat (net-voip,outside) dynamic 65.65.65.20
!
nat (net-inside,outside) after-auto source dynamic any interface
!
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd address 172.16.0.100-172.16.0.127 net-voip
dhcpd dns 8.8.8.8 interface net-voip
dhcpd enable net-voip

I also included the part of my configuration which sets up DHCP on the VoIP VLAN for the phones. One snag I ran into (which should've been obvious in retrospect), the net-voip VLAN needs to have a security level higher than the outside VLAN, otherwise it won't be allowed out.

Related Topic