Cisco ASA 5505 - 5 Static Outside IP Addresses


I have a Cisco ASA 5505. I have 5 Static IP addresses assigned to my Verizon internet account.

Subnet mask is and Gateway is

How would I assign these 5 external IP addresses to be reached from the internet?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steven CarnahanNetwork ManagerCommented:
The addresses are all accessable from the internet. The issue now is where do you want each address to go internally?  

Let's say you have the following servers behind your ASA5505:

Web Server
Mail Server

In the ASA5505 you would NAT to the IP address of the Web Server so when someone browsed to http:\\   They would actually get to your webserver.

Then you would NAT to the IP address of the mail server. You then would create an MX record for the address so that mail can go to the mail server.

Until you point those addresses at something else anyone trying to get to them would only get as far as the router and then be dropped because the router doesn't know what to do with that traffic.

Pretty basic I know but hopefully helpful.
If I'm reading this right, it appears Verizon has assigned you the 10.10.10.x address, and that those are not necessarily inside IP addresses. These may be fine within Verizon's network, but in order to access internet destinations these IP's are NAT'd by Verizon somewhere. If you are on the internet with one of these IP's, go to to see what the actual public IP address is (unfortunately, you won't be able to use that address for inbound traffic). I highly doubt it will show 10.10.10.x. You will need contact Verizon and ask them for static public IP addresses. Public being the keyword in that request. Once you have that, you would create nat's as pony10us suggested, except with the new addresses of course.
Steven CarnahanNetwork ManagerCommented:
@rauenpc:   good point.  The addresses did sort of through me as those are in the private IP range.  I just thought maybe they were being used as an example.

@Vizroy: Are those IP's addresses devices within your network that you want outside individuals to be able to access?  if that is the case then you need to find out what the 5 public addresses are that verizon has assigned as rauenpc mentioned.  Then you can NAT those public addresses to the 5 private addresses.
Busting 5 common myths about IT jobs.

Ignore popular stereotypes about what it’s like to work in IT. It’s a tech-driven world, and tech-based jobs are among the most diverse, and rewarding as you can get. Think you’ll be holed up in a basement, staring at a computer while outsourcing threatens your job security?

VizroyAuthor Commented:
Those addresses are just used as an example for any commands. Verizon assigned me 5 real external addresses.
VizroyAuthor Commented:
In the above example, how would I associate to the outside interface?

Phyo HTET AUNGNetwork Security AnalystCommented:
you can do static that @rauenpc @pony10us mentioned above, below is config, i assume your LAN is

Then, #show xlate to verify nat table.

hostname(config)# static (inside,outside) tcp ftp ftp netmask
hostname(config)# static (inside,outside) tcp http http netmask
hostname(config)# static (inside,outside) tcp http http netmask
hostname(config)# static (inside,outside) tcp smtp smtp netmask
hostname(config)# static (inside,outside) tcp smtp smtp netmask

Open in new window

VizroyAuthor Commented:
Outside Static IP addresses - - 56

Inside Server
DMZ Server

I  can remote desktop to the inside server but not the dmz server.


I already have these commands which is the equivalent of the commands above.

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan12
 nameif dmz
 security-level 50
 ip address  

hostname(config)# static (inside,outside) tcp 3389 3389 netmask
hostname(config)# static (dmz,outside) tcp 3389 3389 netmask
VizroyAuthor Commented:
I added more clarity above. Hopefully this helps find a solution.

Phyo HTET AUNGNetwork Security AnalystCommented:
You can RDP to inside from outside and can't RDP to DMZ from outside.

In #show xlate, are they successfuly map?

PAT Global Local

If there are successfully map, we can isolate the problem from nat issue and focus to firewall policy.
Cisco documented same scenario like you.

Steven CarnahanNetwork ManagerCommented:
What does your permit statement look like?

permit tcp host <source> host <destination> eq 3389

The NAT looks good to me

As asked by phyohtetaung, what do you get from sh xlate command?  If it isn't what you expect then try the clear xlate (should be done after changes to a NAT anyway).
VizroyAuthor Commented:
The solution was the Windows Firewall was blocking the remote desktop attempt.

Thanks for your assistance.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VizroyAuthor Commented:
The problem was with the Windows firewall and not the Cisco firewall.

When I could not reach the system through the firewall, I figured the problem was there, but it was not. As soon as I activated the RDP through the Windows Firewall i could reach it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.