Solved

Cisco ASA5505-BUN-K9: Can I have multiple static IPs?

Posted on 2006-11-04
4
238 Views
Last Modified: 2013-11-16
Can I have multiple (3) static IP addresses for my ASA5505-BUN-K9 and have different routing rules for each IP?  If so, how?

I am somewhat familiar with the PIX 506.  With a single IP, you just set up some access-list entries and some static entries and you're off and running.  I've never configured a device to take multiple IP addresses, so I'm not sure how this would work, but this is what I'd be going for:

IP address 1:
all outgoing requests use this IP address (i.e. computers on my network will always use this IP when surfing the web)

IP address 2:
Ports 80, 443, and a few others will go to various machines

IP address 3:
Ports 80 and 443 go to one machine

Also, and I'm not sure if this can be done, it would be nice if VPN connections were only accepted on IP address 3.  While specific commands to do this would be the most helpful and appreciated, just knowing if this can be done or where to look would be helpful.  Thanks!
0
Comment
Question by:stev0931
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 110 total points
ID: 17875534
Apparently that is how most of the enterprise works!

So when you buy 3 static ips from your ISP, they will route all the requests to those ip addresses to your network and in PIX firewall you can configure this to work the way you want.

Say IP address1, you want to use it for all outgoing connections; Assign it to the outside interface of the PIX firewall and then;

global(outside)1 interface
nat(inside)1 0.0.0.0 0.0.0.0

Say IP address2, it needs to be redirected to an internal_IPAddress1 for 80 and 443;

static(inside,outside)<IP Address2> <Internal_IPAddress1> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address2> eq 80
access-list <name> permit tcp any host <IP Address2> eq 443
access-group <name> in interface outside

Say IP address3, it needs to be redirected to another internal_IPAddress2 for 80 and 443;

static(inside,outside)<IP Address3> <Internal_IPAddress2> netmask 255.255.255.255

access-list <name> permit tcp any host <IP Address3> eq 80
access-list <name> permit tcp any host <IP Address3> eq 443
access-group <name> in interface outside

That would be the full configuration of what you're asking.

Cheers,
Rajesh

0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 140 total points
ID: 17875553
Here's an example:

  IP address 1:
nat (inside) 1 0 0
global (outside) 1 4.1.1.1

  IP address 2:
static (inside,outside) tcp 4.1.1.2 80 172.16.3.1 80
static (inside,outside) tcp 4.1.1.2 443 172.16.3.2 443

  IP address 3:
interface vlan2    <- factory default for ASA5505 is: outside interface is vlan 2
   ip address outside 4.1.1.3 255.255.255.248   <- VPN connections can terminate here
   no shut
static (inside,outside) tcp interface 80 172.16.3.3 80
static (inside,outside) tcp interface 443 172.16.3.3 443

access-list inbound extended permit tcp any host 4.1.1.2 eq 25
access-list inbound extended permit tcp any host 4.1.1.2 eq 80
access-list inbound extended permit tcp any host 4.1.1.2 eq 443
access-list inbound extended permit tcp any host 4.1.1.3 eq 80
access-list inbound extended permit tcp any host 4.1.1.3 eq 443
access-group inbound in interface outside

   ASA Configuration Guides:
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html
   ASA command references:
http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

cheers
0
 
LVL 20

Assisted Solution

by:calvinetter
calvinetter earned 140 total points
ID: 17876393
BTW, also be sure to run "clear xlate" after you create your static NAT entries, or anytime make changes to your NAT config, including 'nat' & 'global' statements.

cheers
0
 

Author Comment

by:stev0931
ID: 17876498
Excellent!  Can't wait to give this a try!  Based off of the commands above, it looks like I'd also be able to enable ICMP on just one IP - which will be an extra plus!  Thanks!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now