Solved

Cisco ASA5505-BUN-K9: Can I have multiple static IPs?

Posted on 2006-11-04
4
253 Views
Last Modified: 2013-11-16
Can I have multiple (3) static IP addresses for my ASA5505-BUN-K9 and have different routing rules for each IP?  If so, how?

I am somewhat familiar with the PIX 506.  With a single IP, you just set up some access-list entries and some static entries and you're off and running.  I've never configured a device to take multiple IP addresses, so I'm not sure how this would work, but this is what I'd be going for:

IP address 1:
all outgoing requests use this IP address (i.e. computers on my network will always use this IP when surfing the web)

IP address 2:
Ports 80, 443, and a few others will go to various machines

IP address 3:
Ports 80 and 443 go to one machine

Also, and I'm not sure if this can be done, it would be nice if VPN connections were only accepted on IP address 3.  While specific commands to do this would be the most helpful and appreciated, just knowing if this can be done or where to look would be helpful.  Thanks!
0
Comment
Question by:stev0931
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 110 total points
ID: 17875534
Apparently that is how most of the enterprise works!

So when you buy 3 static ips from your ISP, they will route all the requests to those ip addresses to your network and in PIX firewall you can configure this to work the way you want.

Say IP address1, you want to use it for all outgoing connections; Assign it to the outside interface of the PIX firewall and then;

global(outside)1 interface
nat(inside)1 0.0.0.0 0.0.0.0

Say IP address2, it needs to be redirected to an internal_IPAddress1 for 80 and 443;

static(inside,outside)<IP Address2> <Internal_IPAddress1> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address2> eq 80
access-list <name> permit tcp any host <IP Address2> eq 443
access-group <name> in interface outside

Say IP address3, it needs to be redirected to another internal_IPAddress2 for 80 and 443;

static(inside,outside)<IP Address3> <Internal_IPAddress2> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address3> eq 80
access-list <name> permit tcp any host <IP Address3> eq 443
access-group <name> in interface outside

That would be the full configuration of what you're asking.

Cheers,
Rajesh

0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 140 total points
ID: 17875553
Here's an example:

  IP address 1:
nat (inside) 1 0 0
global (outside) 1 4.1.1.1

  IP address 2:
static (inside,outside) tcp 4.1.1.2 80 172.16.3.1 80
static (inside,outside) tcp 4.1.1.2 443 172.16.3.2 443

  IP address 3:
interface vlan2    <- factory default for ASA5505 is: outside interface is vlan 2
   ip address outside 4.1.1.3 255.255.255.248   <- VPN connections can terminate here
   no shut
static (inside,outside) tcp interface 80 172.16.3.3 80
static (inside,outside) tcp interface 443 172.16.3.3 443

access-list inbound extended permit tcp any host 4.1.1.2 eq 25
access-list inbound extended permit tcp any host 4.1.1.2 eq 80
access-list inbound extended permit tcp any host 4.1.1.2 eq 443
access-list inbound extended permit tcp any host 4.1.1.3 eq 80
access-list inbound extended permit tcp any host 4.1.1.3 eq 443
access-group inbound in interface outside

   ASA Configuration Guides:
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html
   ASA command references:
http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

cheers
0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 140 total points
ID: 17876393
BTW, also be sure to run "clear xlate" after you create your static NAT entries, or anytime make changes to your NAT config, including 'nat' & 'global' statements.

cheers
0
 

Author Comment

by:stev0931
ID: 17876498
Excellent!  Can't wait to give this a try!  Based off of the commands above, it looks like I'd also be able to enable ICMP on just one IP - which will be an extra plus!  Thanks!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question