Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 262
  • Last Modified:

Cisco ASA5505-BUN-K9: Can I have multiple static IPs?

Can I have multiple (3) static IP addresses for my ASA5505-BUN-K9 and have different routing rules for each IP?  If so, how?

I am somewhat familiar with the PIX 506.  With a single IP, you just set up some access-list entries and some static entries and you're off and running.  I've never configured a device to take multiple IP addresses, so I'm not sure how this would work, but this is what I'd be going for:

IP address 1:
all outgoing requests use this IP address (i.e. computers on my network will always use this IP when surfing the web)

IP address 2:
Ports 80, 443, and a few others will go to various machines

IP address 3:
Ports 80 and 443 go to one machine

Also, and I'm not sure if this can be done, it would be nice if VPN connections were only accepted on IP address 3.  While specific commands to do this would be the most helpful and appreciated, just knowing if this can be done or where to look would be helpful.  Thanks!
0
stev0931
Asked:
stev0931
  • 2
3 Solutions
 
rsivanandanCommented:
Apparently that is how most of the enterprise works!

So when you buy 3 static ips from your ISP, they will route all the requests to those ip addresses to your network and in PIX firewall you can configure this to work the way you want.

Say IP address1, you want to use it for all outgoing connections; Assign it to the outside interface of the PIX firewall and then;

global(outside)1 interface
nat(inside)1 0.0.0.0 0.0.0.0

Say IP address2, it needs to be redirected to an internal_IPAddress1 for 80 and 443;

static(inside,outside)<IP Address2> <Internal_IPAddress1> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address2> eq 80
access-list <name> permit tcp any host <IP Address2> eq 443
access-group <name> in interface outside

Say IP address3, it needs to be redirected to another internal_IPAddress2 for 80 and 443;

static(inside,outside)<IP Address3> <Internal_IPAddress2> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address3> eq 80
access-list <name> permit tcp any host <IP Address3> eq 443
access-group <name> in interface outside

That would be the full configuration of what you're asking.

Cheers,
Rajesh

0
 
calvinetterCommented:
Here's an example:

  IP address 1:
nat (inside) 1 0 0
global (outside) 1 4.1.1.1

  IP address 2:
static (inside,outside) tcp 4.1.1.2 80 172.16.3.1 80
static (inside,outside) tcp 4.1.1.2 443 172.16.3.2 443

  IP address 3:
interface vlan2    <- factory default for ASA5505 is: outside interface is vlan 2
   ip address outside 4.1.1.3 255.255.255.248   <- VPN connections can terminate here
   no shut
static (inside,outside) tcp interface 80 172.16.3.3 80
static (inside,outside) tcp interface 443 172.16.3.3 443

access-list inbound extended permit tcp any host 4.1.1.2 eq 25
access-list inbound extended permit tcp any host 4.1.1.2 eq 80
access-list inbound extended permit tcp any host 4.1.1.2 eq 443
access-list inbound extended permit tcp any host 4.1.1.3 eq 80
access-list inbound extended permit tcp any host 4.1.1.3 eq 443
access-group inbound in interface outside

   ASA Configuration Guides:
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html
   ASA command references:
http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

cheers
0
 
calvinetterCommented:
BTW, also be sure to run "clear xlate" after you create your static NAT entries, or anytime make changes to your NAT config, including 'nat' & 'global' statements.

cheers
0
 
stev0931Author Commented:
Excellent!  Can't wait to give this a try!  Based off of the commands above, it looks like I'd also be able to enable ICMP on just one IP - which will be an extra plus!  Thanks!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now