How to I configure multiple IP's on one interface of my Cisco ASA 5505 and/or 5510

I am new to the world of Cisco networking. I've been a user of consumer grade products for a long time, and have a few 3Com switches and WAP's on my network, but we are needing to do more. So I bought a Cisco ASA 5505 and ASA 5510. I'll be asking all sorts of questions in the near future, but I'm going to start with an easy one (I hope)

How do I assign multiple IP's to one (outside) interface?

I have a block of 5 IP's from Comcast that I want to assign to one interface. Then direct traffic based on port and IP to specific NAT'd addresses.

If our addresses are x.x.110.249-253 / 255.255.255.248, how do I assign all these addresses to one interface?

Thanks
LVL 1
ssittigAsked:
Who is Participating?
 
batry_boyConnect With a Mentor Commented:
Hello ssittig,

Basically, you just put static NAT statements in for each IP address specifying both outside public (translated) address and inside private address.  You can implement one-to-one NAT, which essentially maps all TCP/UDP ports from the public to the private address, or you can implement port redirection where you only map specific ports from outside to inside addresses.  Having said that, that doesn't mean you have to allow all those ports through the firewall...it's just for mapping purposes.

To implement one-to-one NAT for your 5 addresses, say to inside IP's 192.168.1.249-253, you would do this:

static (inside,outside) x.x.110.249 192.168.1.249 netmask 255.255.255.255
static (inside,outside) x.x.110.250 192.168.1.250 netmask 255.255.255.255
static (inside,outside) x.x.110.251 192.168.1.251 netmask 255.255.255.255
static (inside,outside) x.x.110.252 192.168.1.252 netmask 255.255.255.255
static (inside,outside) x.x.110.253 192.168.1.253 netmask 255.255.255.255

Note that the above commands DO NOT allow any traffic inbound to those addresses, it just sets up the mapping.  To allow traffic to those addresses, you would use "access-list" statements, like below:

access-list outside_access_in permit tcp any host x.x.110.249 eq smtp
access-group outside_access_in in interface outside

The first "access-list command above would allow SMTP (e-mail) traffic from any external host on the Internet to IP address x.x.110.249 which maps to inside address 192.168.1.249.  The second "access-group" command then applies that access-list (named "outside_access_in") to the outside interface in an inbound direction.

If you want to just map specific ports from the public addresses to inside addresses, then the static command would take the form:

static (inside,outside) tcp x.x.110.249 smtp 192.168.1.249 smtp netmask 255.255.255.255

The above command would only map the SMTP port from the public address x.x.110.249 to inside address 192.168.1.249.  You would still have to put in the access-list mentioned above to allow inbound SMTP traffic.  With this form of the static command, if you put in an access-list command that tried to allow other port traffic inbound, it wouldn't work because you have only mapped the single port TCP 25 (SMTP) in your static.  That's the difference between this form of the static and the first form presented above.

Hopefully, that will get you off to a good start...good luck!
0
 
ssittigAuthor Commented:
Thanks, I'm going to work on that. I appreciate the clear instructions.
0
 
ssittigAuthor Commented:
When I'm looking at the config for my outside interface, it shows DHCP as the address for the interface. Really I want it to be all 5 IP addresses. Do I need to assign one to it? Or do I just leave it and put in my static routes and access lists? How will the device know that the outside interface is xxx.xxx.110.249-253 if it says the outside address is DHCP? I'm in Configuration-->Interfaces in the ASDM.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
batry_boyCommented:
If you have cable modem service from your ISP, then that is typically a DHCP assignment for the public interface.  I would leave it at DHCP for the outside interface.  

>>Really I want it to be all 5 IP addresses. Do I need to assign one to it?

You don't assign multiple IP addresses to the interface itself, per se.  You just configure the firewall to proxy ARP for additional addresses that you are mapping to inside addresses.

>>Or do I just leave it and put in my static routes and access lists?

I would leave it alone and just put in your static translations (not routes) and your access list statements.

>>How will the device know that the outside interface is xxx.xxx.110.249-253 if it says the outside address is DHCP?

The outside interface will receive it's IP address through DHCP.  Comcast has routed those other 5 public IP addresses to your cable modem circuit and the firewall will be configured to proxy ARP for those addresses.
0
 
ssittigAuthor Commented:
Thanks. I'm looking forward to gaining better control of my network. Definitely takes a new way of thinking to program the ASA device, even for this simple firewall configuration, than to setup a Linksys router.
0
 
batry_boyCommented:
Oh, yes...how true, how true.  However, the thing that makes it more complicated also makes it way more versatile than a consumer grade router.  I've been using the Cisco PIX/ASA for years now and they are marvelous devices.
0
All Courses

From novice to tech pro — start learning today.