How do I assign a public address to a server behind a Cisco ASA?

Wildchubby91
Wildchubby91 used Ask the Experts™
on
I have server requirement that will require me to assign a public IP address to the 2nd interface of a Microsoft server product.  I am unable to do NAT for this project.

Is it possible to assign a public IP address to a server and have that physical ethernet port plugged into the DMZ port of a Cisco ASA 5505?  

 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi,

If your server has two cards (one in internal network and one in DMZ) then you have routing issues. Since Windows will use both cards as default gateways (load-balancing) you will get strange errors on your applications and your firewall. If this is really the case then I would handle it with NAT rather than plugging in a new network card.

Can you give more details regarding this ?

Predrag
What's the logical difference between:

(A) Assign public IP to NIC, plugging into DMZ.

-and-

(B) Assign private IP to 2nd NIC.  Create NAT on router to map public IP to private IP of 2nd NIC.

I could understand maybe not wanting to do NAT to the first NIC in the server...you want everything for this service to route to the 2nd NIC.

But, NAT can handle that while keeping the server behind the firewall.

What is the reason NAT is off the table?

Author

Commented:
This is part of a Microsoft OCS Edge server deployment to allow external federated users access to our AV server for Video conferencing.  The Microsoft OCS Edge server relies on STUN protocol which will reply to requests with the source IP.

A clear write-up on the subject is here: http://www.ocspedia.com/Misc/PublicIP_AVEdge.htm

Gotcha.  Client side can be behind firewall using NAT but the server side is usually on the public internet.
Hi,

You can resolve this issue in this way:
1) Remove the default gateway from the internal network card and add static persistent routes using the internal gateway to other internal networks
2) Create a VLAN interface on the 5505 for the DMZ
3) Place the outside interface to the same VLAN and add the default route of the DMZ interface on ASA

Best regards,

Predrag

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial