How to I configure multiple IP's on one interface of my Cisco ASA 5505 and/or 5510

I am new to the world of Cisco networking. I've been a user of consumer grade products for a long time, and have a few 3Com switches and WAP's on my network, but we are needing to do more. So I bought a Cisco ASA 5505 and ASA 5510. I'll be asking all sorts of questions in the near future, but I'm going to start with an easy one (I hope)

How do I assign multiple IP's to one (outside) interface?

I have a block of 5 IP's from Comcast that I want to assign to one interface. Then direct traffic based on port and IP to specific NAT'd addresses.

If our addresses are x.x.110.249-253 / 255.255.255.248, how do I assign all these addresses to one interface?

Thanks
LVL 1
ssittigAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
Hello ssittig,

Basically, you just put static NAT statements in for each IP address specifying both outside public (translated) address and inside private address.  You can implement one-to-one NAT, which essentially maps all TCP/UDP ports from the public to the private address, or you can implement port redirection where you only map specific ports from outside to inside addresses.  Having said that, that doesn't mean you have to allow all those ports through the firewall...it's just for mapping purposes.

To implement one-to-one NAT for your 5 addresses, say to inside IP's 192.168.1.249-253, you would do this:

static (inside,outside) x.x.110.249 192.168.1.249 netmask 255.255.255.255
static (inside,outside) x.x.110.250 192.168.1.250 netmask 255.255.255.255
static (inside,outside) x.x.110.251 192.168.1.251 netmask 255.255.255.255
static (inside,outside) x.x.110.252 192.168.1.252 netmask 255.255.255.255
static (inside,outside) x.x.110.253 192.168.1.253 netmask 255.255.255.255

Note that the above commands DO NOT allow any traffic inbound to those addresses, it just sets up the mapping.  To allow traffic to those addresses, you would use "access-list" statements, like below:

access-list outside_access_in permit tcp any host x.x.110.249 eq smtp
access-group outside_access_in in interface outside

The first "access-list command above would allow SMTP (e-mail) traffic from any external host on the Internet to IP address x.x.110.249 which maps to inside address 192.168.1.249.  The second "access-group" command then applies that access-list (named "outside_access_in") to the outside interface in an inbound direction.

If you want to just map specific ports from the public addresses to inside addresses, then the static command would take the form:

static (inside,outside) tcp x.x.110.249 smtp 192.168.1.249 smtp netmask 255.255.255.255

The above command would only map the SMTP port from the public address x.x.110.249 to inside address 192.168.1.249.  You would still have to put in the access-list mentioned above to allow inbound SMTP traffic.  With this form of the static command, if you put in an access-list command that tried to allow other port traffic inbound, it wouldn't work because you have only mapped the single port TCP 25 (SMTP) in your static.  That's the difference between this form of the static and the first form presented above.

Hopefully, that will get you off to a good start...good luck!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ssittigAuthor Commented:
Thanks, I'm going to work on that. I appreciate the clear instructions.
0
ssittigAuthor Commented:
When I'm looking at the config for my outside interface, it shows DHCP as the address for the interface. Really I want it to be all 5 IP addresses. Do I need to assign one to it? Or do I just leave it and put in my static routes and access lists? How will the device know that the outside interface is xxx.xxx.110.249-253 if it says the outside address is DHCP? I'm in Configuration-->Interfaces in the ASDM.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

batry_boyCommented:
If you have cable modem service from your ISP, then that is typically a DHCP assignment for the public interface.  I would leave it at DHCP for the outside interface.  

>>Really I want it to be all 5 IP addresses. Do I need to assign one to it?

You don't assign multiple IP addresses to the interface itself, per se.  You just configure the firewall to proxy ARP for additional addresses that you are mapping to inside addresses.

>>Or do I just leave it and put in my static routes and access lists?

I would leave it alone and just put in your static translations (not routes) and your access list statements.

>>How will the device know that the outside interface is xxx.xxx.110.249-253 if it says the outside address is DHCP?

The outside interface will receive it's IP address through DHCP.  Comcast has routed those other 5 public IP addresses to your cable modem circuit and the firewall will be configured to proxy ARP for those addresses.
0
ssittigAuthor Commented:
Thanks. I'm looking forward to gaining better control of my network. Definitely takes a new way of thinking to program the ASA device, even for this simple firewall configuration, than to setup a Linksys router.
0
batry_boyCommented:
Oh, yes...how true, how true.  However, the thing that makes it more complicated also makes it way more versatile than a consumer grade router.  I've been using the Cisco PIX/ASA for years now and they are marvelous devices.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.