Cisco ASA 5505 - 5 Static Outside IP Addresses

Hello,

I have a Cisco ASA 5505. I have 5 Static IP addresses assigned to my Verizon internet account.

10.10.10.52
10.10.10.53
10.10.10.54
10.10.10.55
10.10.10.56

Subnet mask is 255.255.255.0 and Gateway is 10.10.10.1

How would I assign these 5 external IP addresses to be reached from the internet?
VizroyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steven CarnahanNetwork ManagerCommented:
The addresses are all accessable from the internet. The issue now is where do you want each address to go internally?  

Let's say you have the following servers behind your ASA5505:

Web Server
Mail Server

In the ASA5505 you would NAT 10.10.10.52 to the IP address of the Web Server so when someone browsed to http:\\10.10.10.52.....   They would actually get to your webserver.

Then you would NAT 10.10.10.53 to the IP address of the mail server. You then would create an MX record for the 10.10.10.53 address so that mail can go to the mail server.

Until you point those addresses at something else anyone trying to get to them would only get as far as the router and then be dropped because the router doesn't know what to do with that traffic.

Pretty basic I know but hopefully helpful.
0
rauenpcCommented:
If I'm reading this right, it appears Verizon has assigned you the 10.10.10.x address, and that those are not necessarily inside IP addresses. These may be fine within Verizon's network, but in order to access internet destinations these IP's are NAT'd by Verizon somewhere. If you are on the internet with one of these IP's, go to http://whatismyipaddress.com/ to see what the actual public IP address is (unfortunately, you won't be able to use that address for inbound traffic). I highly doubt it will show 10.10.10.x. You will need contact Verizon and ask them for static public IP addresses. Public being the keyword in that request. Once you have that, you would create nat's as pony10us suggested, except with the new addresses of course.
0
Steven CarnahanNetwork ManagerCommented:
@rauenpc:   good point.  The addresses did sort of through me as those are in the private IP range.  I just thought maybe they were being used as an example.

@Vizroy: Are those IP's addresses devices within your network that you want outside individuals to be able to access?  if that is the case then you need to find out what the 5 public addresses are that verizon has assigned as rauenpc mentioned.  Then you can NAT those public addresses to the 5 private addresses.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

VizroyAuthor Commented:
Those addresses are just used as an example for any commands. Verizon assigned me 5 real external addresses.
0
VizroyAuthor Commented:
In the above example, how would I associate 10.10.10.53 to the outside interface?

Thanks.
0
Phyo HTET AUNGNetwork Security AnalystCommented:
you can do static that @rauenpc @pony10us mentioned above, below is config, i assume your LAN is 192.168.0.0/24.

Then, #show xlate to verify nat table.

hostname(config)# static (inside,outside) tcp 10.10.10.52 ftp 192.168.0.100 ftp netmask 
255.255.255.255
hostname(config)# static (inside,outside) tcp 10.10.10.53 http 192.168.0.101 http netmask 
255.255.255.255
hostname(config)# static (inside,outside) tcp 10.10.10.54 http 192.168.0.102 http netmask 
255.255.255.255
hostname(config)# static (inside,outside) tcp 10.10.10.55 smtp 192.168.0.103 smtp netmask 
255.255.255.255
hostname(config)# static (inside,outside) tcp 10.10.10.56 smtp 192.168.0.104 smtp netmask 
255.255.255.255

Open in new window


HTH
Regards,
0
VizroyAuthor Commented:
Outside Static IP addresses - 10.10.10.52 - 56

Servers
Inside Server 192.168.52.101
DMZ Server 192.168.53.101

I  can remote desktop to the inside server but not the dmz server.


--------------------------------------------------------

I already have these commands which is the equivalent of the commands above.

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.52.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.52 255.255.255.0
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 192.168.53.1 255.255.255.0  

hostname(config)# static (inside,outside) tcp 10.10.10.52 3389 192.168.52.101 3389 netmask
255.255.255.255
hostname(config)# static (dmz,outside) tcp 10.10.10.53 3389 192.168.53.101 3389 netmask
255.255.255.255
0
VizroyAuthor Commented:
I added more clarity above. Hopefully this helps find a solution.

Thanks.
0
Phyo HTET AUNGNetwork Security AnalystCommented:
You can RDP to inside from outside and can't RDP to DMZ from outside.

In #show xlate, are they successfuly map?

like
PAT Global 10.10.10.53(1024) Local 192.168.53.101516)

If there are successfully map, we can isolate the problem from nat issue and focus to firewall policy.
Cisco documented same scenario like you.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bf150c.shtml

HTH
0
Steven CarnahanNetwork ManagerCommented:
What does your permit statement look like?

permit tcp host <source> host <destination> eq 3389

The NAT looks good to me

As asked by phyohtetaung, what do you get from sh xlate command?  If it isn't what you expect then try the clear xlate (should be done after changes to a NAT anyway).
0
VizroyAuthor Commented:
The solution was the Windows Firewall was blocking the remote desktop attempt.

Thanks for your assistance.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VizroyAuthor Commented:
The problem was with the Windows firewall and not the Cisco firewall.

When I could not reach the system through the firewall, I figured the problem was there, but it was not. As soon as I activated the RDP through the Windows Firewall i could reach it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.