Cisco ASA External IP on Server Behind ASA - Polycom VBP

Posted on 2011-10-04
Last Modified: 2012-05-12
I have polycom device that needs to have a public ip address because it is it's own nat device. I have my one ip address that i use for my asa that points to his default route.  So IP with a gateway of on a slash/30 network. Are ISP also gives us a -31 /27 network to use for our services behind our firewall. Normally I give the internal server an internal network address and create a NAT rule to point to it. But in this instance they say it needs to have it's own public address.  How can I do this on an ASA?

Question by:bml104
    LVL 18

    Accepted Solution

    This is tricky because the ASA doesn't support secondary addresses.  My thought would be to create a DMZ and use the second public address block in the DMZ, assigning one of those addresses to the Polycom device.  No NATing traffic coming in from the outside to the DMZ, but you would NAT between outside and inside, and DMZ and inside.  As long as the ISP knows where the 142 block is, that it has a next-hop IP address of the outside interface of the ASA, it should be reachable.  
    LVL 1

    Author Comment

    Okay I just got of the phone with my ISP and I suggested this to them and they said it should work. So let me try and recreate this issue.

    So my IP rainge is /27  Some of these IP addreses are already used by the ASA as Static NATs for existing servers in m non-dmz network.  So if I add a DMZ and make the gateway, I will be able to assing devices behind that DMZ interface addresses?

    So if requst for the devices that have a Static NAT will go to their correct non dmz devices and request for will go to the DMZ. Is this correct?
    LVL 1

    Author Comment

    I actually got it working by adding the gateway IP to the DMZ interface and adding the server to the DMZ network with the proper IP. Everything seems to work thanks!

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now