Cisco ASA5505-BUN-K9: Can I have multiple static IPs?

Can I have multiple (3) static IP addresses for my ASA5505-BUN-K9 and have different routing rules for each IP?  If so, how?

I am somewhat familiar with the PIX 506.  With a single IP, you just set up some access-list entries and some static entries and you're off and running.  I've never configured a device to take multiple IP addresses, so I'm not sure how this would work, but this is what I'd be going for:

IP address 1:
all outgoing requests use this IP address (i.e. computers on my network will always use this IP when surfing the web)

IP address 2:
Ports 80, 443, and a few others will go to various machines

IP address 3:
Ports 80 and 443 go to one machine

Also, and I'm not sure if this can be done, it would be nice if VPN connections were only accepted on IP address 3.  While specific commands to do this would be the most helpful and appreciated, just knowing if this can be done or where to look would be helpful.  Thanks!
stev0931Asked:
Who is Participating?
 
rsivanandanConnect With a Mentor Commented:
Apparently that is how most of the enterprise works!

So when you buy 3 static ips from your ISP, they will route all the requests to those ip addresses to your network and in PIX firewall you can configure this to work the way you want.

Say IP address1, you want to use it for all outgoing connections; Assign it to the outside interface of the PIX firewall and then;

global(outside)1 interface
nat(inside)1 0.0.0.0 0.0.0.0

Say IP address2, it needs to be redirected to an internal_IPAddress1 for 80 and 443;

static(inside,outside)<IP Address2> <Internal_IPAddress1> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address2> eq 80
access-list <name> permit tcp any host <IP Address2> eq 443
access-group <name> in interface outside

Say IP address3, it needs to be redirected to another internal_IPAddress2 for 80 and 443;

static(inside,outside)<IP Address3> <Internal_IPAddress2> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address3> eq 80
access-list <name> permit tcp any host <IP Address3> eq 443
access-group <name> in interface outside

That would be the full configuration of what you're asking.

Cheers,
Rajesh

0
 
calvinetterConnect With a Mentor Commented:
Here's an example:

  IP address 1:
nat (inside) 1 0 0
global (outside) 1 4.1.1.1

  IP address 2:
static (inside,outside) tcp 4.1.1.2 80 172.16.3.1 80
static (inside,outside) tcp 4.1.1.2 443 172.16.3.2 443

  IP address 3:
interface vlan2    <- factory default for ASA5505 is: outside interface is vlan 2
   ip address outside 4.1.1.3 255.255.255.248   <- VPN connections can terminate here
   no shut
static (inside,outside) tcp interface 80 172.16.3.3 80
static (inside,outside) tcp interface 443 172.16.3.3 443

access-list inbound extended permit tcp any host 4.1.1.2 eq 25
access-list inbound extended permit tcp any host 4.1.1.2 eq 80
access-list inbound extended permit tcp any host 4.1.1.2 eq 443
access-list inbound extended permit tcp any host 4.1.1.3 eq 80
access-list inbound extended permit tcp any host 4.1.1.3 eq 443
access-group inbound in interface outside

   ASA Configuration Guides:
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html
   ASA command references:
http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

cheers
0
 
calvinetterConnect With a Mentor Commented:
BTW, also be sure to run "clear xlate" after you create your static NAT entries, or anytime make changes to your NAT config, including 'nat' & 'global' statements.

cheers
0
 
stev0931Author Commented:
Excellent!  Can't wait to give this a try!  Based off of the commands above, it looks like I'd also be able to enable ICMP on just one IP - which will be an extra plus!  Thanks!
0
All Courses

From novice to tech pro — start learning today.