From: Mark Cairns (m.a.cairns@gmail.com)
Date: Tue Mar 31 2009 - 13:19:26 ART
Haroon,
There are some different options on how you do this, but I would recommend
the following as the most direct.
1. Identify the static NATs that you have in place on the ASA for the VIPs
of your load balancer to the outside interface.
2. Replicate those NATs between the inside and private subnet on your new
interface with a different "outside" IP addresses
3. Copy the ACL rules that you have on the outside interface and modify them
to allow access on the new interface to the new "outside" IP addresses
4. Modify the routing to push the new "outside" IP addresses towards the ASA
from R2 and reverse routing from the ASA to R2 for the 192.168.1 subnet
5. Make sure the security level of the new interface is lower than the
inside.
There are other ways to accomplish the connectivity but for simplicity, the
five steps above should work for you.
You may want to look into allowing traffic through same security interfaces,
putting the outside of your ASA on a private subnet to R1 and modifying DNS
through the ASA (depending on where you are resolving host names)
Mark
#17755, Security
On Tue, Mar 31, 2009 at 11:49 AM, Ryan DeBerry <rdeberry@gmail.com> wrote:
> Need to see the config or portions of it.
>
> Is there any NAT'ing in place between the 2 environments.
>
> Route should be Added to R2
> Route should be added to ASA
>
>
>
> On Tue, Mar 31, 2009 at 3:41 PM, Haroon <itguy.pro@gmail.com> wrote:
>
> > Correct. I've tried putting static route on ASA going back to the
> > 192.168.1.x network, i've tried access list in/out, etc. but no go.
> >
> >
> >
> > On Tue, Mar 31, 2009 at 11:36 AM, Joe Astorino <joe_astorino@comcast.net
> > >wrote:
> >
> > > I'm assuming you have checked your routing going BACK to the
> 192.168.1.x
> > > network from the LB and ASA ?
> > >
> > > "He not busy being born is busy dying" -- Dylan
> > >
> > > -----BEGIN PGP PUBLIC KEY BLOCK-----
> > > Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
> > >
> > > mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
> > > Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
> > > W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
> > > RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
> > > YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
> > > doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
> > > EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
> > > FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
> > > FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
> > > aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
> > > CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
> > > Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
> > > tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
> > > q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
> > > VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
> > > ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
> > > fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
> > > F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
> > > UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
> > > nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
> > > QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
> > > 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
> > > L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
> > > DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
> > > 74k/eLaYWYqu7YI=
> > > =8HMA
> > > -----END PGP PUBLIC KEY BLOCK-----
> > >
> > > ----- Original Message -----
> > > From: "Haroon" <itguy.pro@gmail.com>
> > > To: "Joe Astorino" <joe_astorino@comcast.net>
> > > Cc: "Cisco certification" <ccielab@groupstudy.com>
> > > Sent: Tuesday, March 31, 2009 11:34:15 AM GMT -05:00 US/Canada Eastern
> > > Subject: Re: Second LAN Interface on ASA 5510
> > >
> > > Well, I did that, I can reach the 172.16.10.1 address on ASA, but it
> > > doesn't go anywhere after that to the load balancer (192.168.100.1) or
> > even
> > > the 10.10.0.x network, where the web servers are.
> > >
> > > Thanks,
> > >
> > > Haroon
> > >
> > > On Tue, Mar 31, 2009 at 11:22 AM, Joe Astorino <
> joe_astorino@comcast.net
> > >wrote:
> > >
> > >> So maybe I am missing something, why not just put a static route there
> > >> that points the users from 192.168.1.x heading towards the web
> servers,
> > to
> > >> the ASA
> > >>
> > >>
> > >> "He not busy being born is busy dying" -- Dylan
> > >>
> > >> -----BEGIN PGP PUBLIC KEY BLOCK-----
> > >> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
> > >>
> > >> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
> > >> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
> > >> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
> > >> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
> > >> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
> > >> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
> > >> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
> > >> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
> > >> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
> > >> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
> > >> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
> > >> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
> > >> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
> > >> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
> > >> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
> > >> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
> > >> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
> > >> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
> > >> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
> > >> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
> > >> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
> > >> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
> > >> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
> > >> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
> > >> 74k/eLaYWYqu7YI=
> > >> =8HMA
> > >> -----END PGP PUBLIC KEY BLOCK-----
> > >>
> > >> ----- Original Message -----
> > >> From: "itguy pro" <itguy.pro@gmail.com>
> > >> To: "Joe Astorino" <joe_astorino@comcast.net>
> > >> Cc: "Cisco certification" <ccielab@groupstudy.com>
> > >> Sent: Tuesday, March 31, 2009 11:20:08 AM GMT -05:00 US/Canada Eastern
> > >> Subject: Re: Second LAN Interface on ASA 5510
> > >>
> > >> Hi joe,
> > >>
> > >> That is what we are trying to setup now... They shouldn't be going out
> > to
> > >> get to the 10.10.0.x subnet.
> > >>
> > >>
> > >> Thanks
> > >>
> > >> Sent via BlackBerry from T-Mobile
> > >>
> > >> ------------------------------
> > >> *From*: Joe Astorino
> > >> *Date*: Tue, 31 Mar 2009 15:17:05 +0000 (UTC)
> > >> *To*: Haroon<itguy.pro@gmail.com>
> > >> *Subject*: Re: Second LAN Interface on ASA 5510
> > >>
> > >> Forgive me because I'm not really an ASA guy (yet) , but I am
> wondering,
> > >> why are the users on 192.168.1.x routing out to the internet to get to
> a
> > >> private internal subnet? Is there some sort of NAT going on or
> > something?
> > >> Why not solve the problem using normal routing?
> > >>
> > >>
> > >> "He not busy being born is busy dying" -- Dylan
> > >>
> > >> -----BEGIN PGP PUBLIC KEY BLOCK-----
> > >> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
> > >>
> > >> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
> > >> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
> > >> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
> > >> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
> > >> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
> > >> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
> > >> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
> > >> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
> > >> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
> > >> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
> > >> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
> > >> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
> > >> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
> > >> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
> > >> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
> > >> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
> > >> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
> > >> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
> > >> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
> > >> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
> > >> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
> > >> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
> > >> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
> > >> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
> > >> 74k/eLaYWYqu7YI=
> > >> =8HMA
> > >> -----END PGP PUBLIC KEY BLOCK-----
> > >>
> > >> ----- Original Message -----
> > >> From: "Haroon" <itguy.pro@gmail.com>
> > >> To: "Cisco certification" <ccielab@groupstudy.com>
> > >> Sent: Tuesday, March 31, 2009 11:06:31 AM GMT -05:00 US/Canada Eastern
> > >> Subject: Second LAN Interface on ASA 5510
> > >>
> > >> Hello Experts,
> > >>
> > >> We phased out our PIX recently and upgraded to ASA 5510. I was able to
> > >> convert the config over from pix and everything seems to be working
> fine
> > >> (A
> > >> to B on diagram). Now, I want to connect 3rd interface on ASA to our
> > >> corporate LAN where staff users on desktops access web servers on
> > >> 10.10.0.x
> > >> subnet. Right now they are going out to the internet (R-2) and then
> > coming
> > >> back into the R-1. I need to be able to reach 10.10.0.x subnet from
> > >> 192.168.1.x (Y to Z on diagram) without breaking the main config (A to
> > B)
> > >> on
> > >> the ASA.
> > >>
> > >> Here is a diagram:
> > >> http://www.ccie.pro/ASA-RT.jpg
> > >> (asa config available upon request)
> > >>
> > >> I can ping the 172.16.10.x addresses from where the desktops are...
> any
> > >> hints would be greatly appreciated.
> > >>
> > >> Thanks,
> > >>
> > >> Haroon
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART
