dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1202
derjur
join:2012-07-10
Hamilton, ON

derjur

Member

[DSL] ASA5505 with a /29

I've signed up for Tek Savvy's /29 service, and now have a static IP, and a handful of additional IPs.

I've configured my modem to bridging mode, and my outside interface on my Cisco ASA5505 is grabbing my single static IP through PPPoE.

Does anyone have an idea on how I can assign my netblock to the ASA?

squircle
join:2009-06-23
OTWAON10

squircle

Member

You have to assign the addresses statically to your LAN clients; there isn't a mechanism with PPPoE that will auto-configure them.
derjur
join:2012-07-10
Hamilton, ON

derjur

Member

Thanks for the response.

That is my question though; how do I assign the netblock to my ASA?

The outside interface can only handle a single address, and I don't think that assigning the netblock to a VLAN would be best practice.

squircle
join:2009-06-23
OTWAON10

squircle

Member

Sorry, I should've been more clear in my response (I was in class at the time). You have to assign addresses in your netblock to clients on the LAN interfaces of your ASA. The ASA itself only needs one address; what you're essentially doing is (either statically or through DHCP) assigning addresses from your /29 to LAN clients with your ASA as the default gateway. I prefer to do this statically as only a few of my network clients need globally-routable IPs, but if you only have one or two clients, you could DHCP from your /29 pool.

I wish I was more well-versed with IOS so I could give you some configuration examples at the moment, but my current job is an all-HP ProCurve shop so I've lost some of my Cisco skills. Hope that helps!
derjur
join:2012-07-10
Hamilton, ON

derjur

Member

What you're describing sounds more appropriate if the /29 subnet was for internal use, but this is an external range, which I expected to have to staticly NAT to internal addresses. Does that still apply to your example?

Also, I'm familiar with HP Procurve, so any examples you provide would be understood

zed173
join:2010-07-17
Mississauga, ON

zed173 to derjur

Member

to derjur
See this »supportforums.cisco.com/ ··· /2073232

That's for IOS, been some time since I've used an ASA but I seem to remember the commands were similiar.

squircle
join:2009-06-23
OTWAON10

squircle to derjur

Member

to derjur
That's exactly what I'm talking about. You somehow need to assign addresses from your pool to clients behind your ASA. Connect those clients to the switch ports of your ASA with addresses from your /29, and they'll be able to communicate with the outside world. Or maybe I'm just completely screwing everything up (switching, routing and everything network is a blur to me right now; I'm tackling a huge iBGP issue right now and... well, yeah).

LondonDave
Premium Member
join:2011-09-05
London, ON
·Acanac

LondonDave to derjur

Premium Member

to derjur
The easiest way is to just nat each of those public IP's on your ASA. You can also setup pat with a pool of those static addresses. It will NAT 1:1 until it hits the last IP in the pool at which time it will switch to PAT.

ASA(config)# global (outside) 1 24.0.0.1-24.0.0.5
ASA(config)# global (outside) 1 24.0.0.6
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0

You can also use the ASA as a firewall only and simply route from your public IP through the ASA to the /29 block on your network.

Commands very by ASA code version as well. The commands above are good until 8.2 after which it changes a bit.
derjur
join:2012-07-10
Hamilton, ON

derjur

Member

So this one works:
access-list outside_access_in extended permit tcp any host 206.248.x.x eq ssh log notifications

This does not:
access-list outside_access_in extended permit tcp any host 108.175.x.x eq ssh log notifications

This one works:
static (inside,outside) tcp interface ssh 172.20.2.65 ssh netmask 255.255.255.255

This does not:
static (inside,outside) tcp 108.175.x.x ssh 172.20.2.10 ssh netmask 255.255.255.255

I have a feeling that my /29 is not getting picked up by the ASA at all. Is this something that Tek Savvy can help with?

I may repost this in the direct support forum as well.

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak

Premium Member

You can do a quick test by assigning one of the IPs in the /29 to an interface on your router. Im not familiar with your particular one.

Then Ping it.

The /29 should be routed to the PPPoE Static IP address by TSI.

rodjames
Premium Member
join:2010-06-19

rodjames to derjur

Premium Member

to derjur
You need to set up a vlan with port mirroring for each IP you wish to NAT.

KaylaIT
FTTB
Premium Member
join:2012-07-26
Calgary, AB

KaylaIT to derjur

Premium Member

to derjur
Do what Inssomniak suggested, you should also be able to assign one of the addresses from the /29 as the default gateway is a interface and not a IP. If this does not work then you will need to get Teksavvy to confirm the routing is setup properly.
derjur
join:2012-07-10
Hamilton, ON

derjur

Member

UPDATE:

I had signed up for the IPv6 beta, and as such was given an alternate login for PPPoE (@hsiservice.net). My /29 was applied to my original TSI login (@teksavvy.com) so those IPs were never being pushed down to my ASA.

Once I switched back to the TSI account, my ASA picked them up immediately.

rodjames
Premium Member
join:2010-06-19

rodjames

Premium Member

nice pebkac