• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1801
  • Last Modified:

Presenting multiple public IP addresses on a single firewall interface.

We have a firewall with a web facing interface of 150.x.x.a
We have purchased several other public ips, 150.x.x.b and 150.x.x.c
How do I make 150.x.x.b available on our firewalls external interface?
I intend to NAT 150.x.x.b to an internal IP address (web server) .

So basically I want to be able to access this internal webserver by entering a different 150.x.x.b
Do we get our ISP to route 150.x.x.b to our firewall external ip address 150.x.x.a, and simply use a static nat?

3 Solutions
WHat kind of firewall?  The firewall needs to be configured to NAT the available IP addresses in the range you purchased.  Different firewalls do that in different ways.
rgogginsAuthor Commented:

 its a Cisco ASA 5510 Series.
I have no problem with configuring the NAT. What I really want to know is about the routing?

 Do we just get our ISP to route 150.x.x.b to our current external IP 150.x.x.a and then configure the NAT to our internal server. Is that all that is required to make this web server accessable using 150.x.x.b ?

assuming 150.x.x.a, 150.x.x.b and 150.x.x.c are all on the same subnet, then you ISP already knows how to route them to you. All you need is to setup a static NAT to your internal server, configure your ACL to allow incoming traffic (if that's the intended purpose) and you are done.

If 150.x.x.b and 150.x.x.c are on a different subnet than 150.x.x.a, then yes you need to have your ISP route those to 150.x.x.a. Otherwise, the NAT and ACL configuration on the ASA is identical.

Hope this helps,
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

The magic happening here with the ASA is called proxy arp, it will ARP on the 'outside' interface - basically ask the router or bridge device what other IP addresses it can use. Most firewalls do something similiar to this now-a-days.
If you do the NAT, and then allow the appropriate ports through by access list (80, 443), then they will be able to get yo your web server by IP address.  If the IP addresses are static, you have no problems.  You might get a domain name assigned to the IP address to make it easier for users.  (dyndns.com is one of those).  
How is it going?
rgogginsAuthor Commented:
Its working fine thanks for the help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now