nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

!!!Problem with private WAN interface on MPLS

PhildoBaggins

I have a couple ASAs in the Bahamas that were setup with MPLS as the primary internet connection.

The ASA's wan interface is a 192.x.x.2 and the default router/gateway is 192.x.x.1

From what I can see the client bought a /29 block of public ips. All the ip's must be routed to the 192.x.x.2 interface.

I setup a 1 to 1 nat so I could put their windows server in the ole internets. But here is my problem.

I need to setup a few tunnels to and from this ASA. How the heck can I get my ASA's wan interface working on a public ip. If all the ip's are routed to it I would think "create a virtual interface" but that doesnt work. I can put anything behind the ASA on a nat to one of the public ips but how can I do the same for the ASA wan, is this something I need to take up with the ISP?

I'm not very experienced on the ASA but the other engineers here have not had luck with this either.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

networker050184

Not really sure what you are asking here. You want your outside interface that connects to the ISP to change addressing? If so, you will have to get with the provider to have them change the other side of the link as well.

PhildoBaggins

Thats the conclusion the other guys here and I came up with. for some reason they have a public block assigned to a private ip which has to nat the publics. Its a goofy reverse of what you think should happen setup.

Forsaken_GA

Unless I'm totally misunderstanding you, you really shouldn't need to use NAT unless you want to. It sounds like they're routing your IP's to you over a /30 or something of the like, and if that's the case, it's no big deal. Your interface to the service provider is going to have the private address, but the otherside of the interface on your network can be addressed with the public address you want to use as the gateway, and then your hosts behind that can be addressed with public IP's. Then you just default route everything to the provider's gateway address, and they'll handle the public routing from there.

I used to do this kind of thing all the time for our customers who wanted their own netblocks on their own equipment, but didn't want to run BGP with us (because there's not a chance in hell I'm letting those folks participate in my IGP).

I haven't done alot with ASA's, but is there any reason you couldn't create the tunnel using the gateway interface, passing through the WAN interface?

Forsaken_GA

phoeneous wrote: »

I'm confused too.

It sounds like the isp terminates the /29 circuit with their own equipment like an adtran and then hits the asa with a /30.

I work better with pictures

The below leads me to believe otherwise, or at least, that it's irrelevant -

The ASA's wan interface is a 192.x.x.2 and the default router/gateway is 192.x.x.1

From what I can see the client bought a /29 block of public ips. All the ip's must be routed to the 192.x.x.2 interface.

So that tells me that the ISP probably has a nailed up route that points the /29 to 192.x.x.2 as the next hop. If that's the case, then his 'WAN' interface should be addressed as 192.x.x.2, but his 'LAN' (or inside, or whatever you want to call it - the interface that the gear behind his network will be using to egress) interface should be addressable with a public IP that the gear behind it can use as the gateway address, and then the gear behind it can be addressed with public IP's. Then the ASA just needs a default route pointing to 192.x.x.1, and that would enable bi-directional communication.

So traffic destined for the customers /29 comes into their network, they deliver it to the defined next hop address (the fact that the next hop is a private address is totally irrelevant). Once the packet hits that machine, it looks at the destination, sees it's addressed for a network it has an interface in, and then spits it out that interface for delivery.

Traffic sourced from the customers /29 comes sourced from a public IP, it gets to the gateway address for it's network. The ASA looks and sees it doesn't have a route for that, so drops it out the default route, which is set for the next hop for 192.x.x.1. The ISP's router receives it and then takes of delivering it through normal routing means.

So unless I'm making some highly invalid assumptions, or the ISP is doing some weird crap, there's no requirements for NAT involved, and the OP should be able to use the ASA's LAN interface as a tunnel source and/or tunnel endpoint.

PhildoBaggins

The ISP is doing some weird crap. They wanted us to put a router in front of the ASA and double nat everything.....apparently they are the only large isp on this island. My client has a contact in the local government which has a financial stake in the company. Its such a stupid setup it makes me and everyone here get a little dumber every time we look for a solution.

Forsaken_GA

I'd have to see your provisioning details to see what's going on then, they may have a good reason for it, but nothing I can think of off the top of my head. From the details you've provided, it sounds like one side or the other is being idiotic. If all they're doing is static routing your allocation to an interface on your equipment, they shouldn't have any further say in it. As long as the packets addressed to your /29 make it to that interface, you should be able to do whatever you want on your gear behind that interface.

Personally, I'd get someone at the ISP on the phone, and not let them off until they could tell me exactly the reasons behind this architecture, or transferred me to someone who could.

vinbuck

phoeneous wrote: »

I'm confused too.

It sounds like the isp terminates the /29 circuit with their own equipment like an adtran and then hits the asa with a /30.

I work better with pictures

I'd find out what kind of equipment they are using to drop in this connection and how they are delivering it to you then draw it out and start labeling everything so you can look at the topology and determine exactly what you need to do to config the ASA.

Do you have management access to any of this stuff? Turn CDP on see if you get anything. If you're desperate you could always get the mac address of the equipment the ASA is connected to and look it up.