Solved

Cisco ASA5505-BUN-K9: Can I have multiple static IPs?

Posted on 2006-11-04
4
240 Views
Last Modified: 2013-11-16
Can I have multiple (3) static IP addresses for my ASA5505-BUN-K9 and have different routing rules for each IP?  If so, how?

I am somewhat familiar with the PIX 506.  With a single IP, you just set up some access-list entries and some static entries and you're off and running.  I've never configured a device to take multiple IP addresses, so I'm not sure how this would work, but this is what I'd be going for:

IP address 1:
all outgoing requests use this IP address (i.e. computers on my network will always use this IP when surfing the web)

IP address 2:
Ports 80, 443, and a few others will go to various machines

IP address 3:
Ports 80 and 443 go to one machine

Also, and I'm not sure if this can be done, it would be nice if VPN connections were only accepted on IP address 3.  While specific commands to do this would be the most helpful and appreciated, just knowing if this can be done or where to look would be helpful.  Thanks!
0
Comment
Question by:stev0931
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 110 total points
ID: 17875534
Apparently that is how most of the enterprise works!

So when you buy 3 static ips from your ISP, they will route all the requests to those ip addresses to your network and in PIX firewall you can configure this to work the way you want.

Say IP address1, you want to use it for all outgoing connections; Assign it to the outside interface of the PIX firewall and then;

global(outside)1 interface
nat(inside)1 0.0.0.0 0.0.0.0

Say IP address2, it needs to be redirected to an internal_IPAddress1 for 80 and 443;

static(inside,outside)<IP Address2> <Internal_IPAddress1> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address2> eq 80
access-list <name> permit tcp any host <IP Address2> eq 443
access-group <name> in interface outside

Say IP address3, it needs to be redirected to another internal_IPAddress2 for 80 and 443;

static(inside,outside)<IP Address3> <Internal_IPAddress2> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address3> eq 80
access-list <name> permit tcp any host <IP Address3> eq 443
access-group <name> in interface outside

That would be the full configuration of what you're asking.

Cheers,
Rajesh

0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 140 total points
ID: 17875553
Here's an example:

  IP address 1:
nat (inside) 1 0 0
global (outside) 1 4.1.1.1

  IP address 2:
static (inside,outside) tcp 4.1.1.2 80 172.16.3.1 80
static (inside,outside) tcp 4.1.1.2 443 172.16.3.2 443

  IP address 3:
interface vlan2    <- factory default for ASA5505 is: outside interface is vlan 2
   ip address outside 4.1.1.3 255.255.255.248   <- VPN connections can terminate here
   no shut
static (inside,outside) tcp interface 80 172.16.3.3 80
static (inside,outside) tcp interface 443 172.16.3.3 443

access-list inbound extended permit tcp any host 4.1.1.2 eq 25
access-list inbound extended permit tcp any host 4.1.1.2 eq 80
access-list inbound extended permit tcp any host 4.1.1.2 eq 443
access-list inbound extended permit tcp any host 4.1.1.3 eq 80
access-list inbound extended permit tcp any host 4.1.1.3 eq 443
access-group inbound in interface outside

   ASA Configuration Guides:
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html
   ASA command references:
http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

cheers
0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 140 total points
ID: 17876393
BTW, also be sure to run "clear xlate" after you create your static NAT entries, or anytime make changes to your NAT config, including 'nat' & 'global' statements.

cheers
0
 

Author Comment

by:stev0931
ID: 17876498
Excellent!  Can't wait to give this a try!  Based off of the commands above, it looks like I'd also be able to enable ICMP on just one IP - which will be an extra plus!  Thanks!
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505 NAT question 8 118
Protection from Keyloggers, Spywares etc. 20 104
Cisco 800 Router or Cisco SG300 layer3 Switch (Separation of offices) 1 260
Firewall question 5 93
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question