Routing between Subnets on Cisco ASA

NetworkNerd

What we have here is a mess that I am looking to try and clean up a little. Simply put, we need a workstation on our internal production LAN to communicate to a DVR on a separate subnet (same physical network infrastructure) and run the software that can monitor security camera feeds.

At a particular site of ours, we have Charter Business coax with two usable public ip addresses. We started with one public ip address and then added a second public ip address not too long ago. We have some security cameras at the site which required a public address with static NAT configured so our security monitoring company could monitor the camera traffic.

Now, when Charter gave us another ip address they gave us one on a different subnet than the first public ip. At the time, we needed something in place quickly and ended up putting a Cisco RV180 we had laying around in place configured with the second public ip and configured with the proper NAT to get the monitoring working properly.

So what we have in place now is this:

• Cisco ASA 5505 configured with 1 public ip using NAT with PAT (outside interface connected to Charter modem), inside interface is 10.0.1.0/24  (production LAN), device setup for DHCP and DNS

• Cisco RV180 configured with 1 public ip using static NAT (WAN interface connected to Charter modem), inside interface is 10.192.0.0/24 (subnet for cameras only), DHCP is off

• All cameras as well as the DVR are on the 10.192.0.0/24 subnet (configured this way by the vendor who put them in place). The DVR as well as all cameras are configured with static ip addresses.
  The wiring for the cameras goes through some of the same L2 switches used for our production LAN (could not physically separate in the beginning).

I'm thinking we have a few options. I'm leaning toward option 1 but want to make sure that will work on the Cisco ASA.

1. Take out the RV180. Setup two new interfaces on the ASA.

Make a new inside interface on Ethernet0/6, for example, and set it as 10.192.0.254. Connect a switch to this port that has cameras / the DVR connected to it.

Make a new outside interface on Ethernet0/7, for example. Set it to the public ip for camera traffic, and connect that port to the Charter modem. It will be plugged into the Charter modem instead of the RV180.

Setup the static NAT for access to the DVR on the new outside interface.

Setup static routes to send anything on 10.192.0.0/24 to the proper outside interface with the public ip for cameras and anything on 10.0.1.0/24 to the outside interface already configured. Setup static routes on the correct inside interfaces so devices on the two subnets can communicate. Would that work? Will ACLs give me trouble here (like the implicit incoming rules for the inside interface)?

2. Figure out how to route traffic between subnets using the RV180 and ASA 5505. I do not have high hopes for that.

3. Get a PCI NIC for this workstation and set to a static ip on the camera subnet while the NIC on the motherboard remains on the production LAN.

I wouldn't call myself a routing and switching guy, so any advice is much appreciated here.

A Former User

I don't think you need to use Static Routes for this you just need to setup your inbound and outbound nat maps. That is I'm assuming you want both in bound traffic on the Second Public IP to come to the camera system and you want outbound to be on this IP as well rather than the default WAN ip?

Here's some more info on it: https://supportforums.cisco.com/discussion/11028221/asa-outbound-policy-nat-not-working

A Former User

Wait I noticed you said something connecting two modems, Are the IP addresses connected mapped to two different modems then? If so you will need static routes.

NetworkNerd

@thecreativeone91 said:

Wait I noticed you said something connecting two modems, Are the IP addresses connected mapped to two different modems then? If so you will need static routes.

The routers connect to the same modem. They just have public ips on different subnets.

NetworkNerd

@thecreativeone91 said:

I don't think you need to use Static Routes for this you just need to setup your inbound and outbound nat maps. That is I'm assuming you want both in bound traffic on the Second Public IP to come to the camera system and you want outbound to be on this IP as well rather than the default WAN ip?

Here's some more info on it: https://supportforums.cisco.com/discussion/11028221/asa-outbound-policy-nat-not-working

You are correct.

A Former User

@NetworkNerd said:

@thecreativeone91 said:

Wait I noticed you said something connecting two modems, Are the IP addresses connected mapped to two different modems then? If so you will need static routes.

The routers connect to the same modem. They just have public ips on different subnets.

Same Modem doesn't need static routes then if they (ISP) has the routes configured you can take them over the same WAN Interface, That's the only way I've done it before even with different subnets. It's really just an Virtual IP/Alias to the router.

And Apparently I'm not the only one: http://serverfault.com/questions/367671/cisco-asa-multiple-public-subnets

dafyre

If you want traffic on 10.0.1.0/24 to be able to hit the cameras at 10.192.0.0/24, why not simply connect the DVR cameras to Eth0/6 and then configure the ASA to route between 10.0.1.0 and 10.192.0.0?

That completely eliminates the need to go out to the internet and then turn around and come right back on. You should also be able to configure the detault route for the 10.192 subnet to go out the Second Cable modem on Eth0/7.