Can I assign secondary IP addresses to Cisco firewall interface?

Can I assign secondary IP addresses to Cisco firewall interface?
Mustafa OsmanMDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
No.
If you need to do that, configure the ASA with sub interfaces and assign the appropriate vlans to them.  Then put the the address on a different vlan.  Trunk both vlans from the switch to the ASA.  

Here is a document that describes this:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/intrface.html#wp1044006
0
Mustafa OsmanMDAuthor Commented:
Thanks

All what I need to do is add an external IP address from one machine in the DMZ to access the internet through that address only do I need an VLAN then? or not?
0
Ken BooneNetwork ConsultantCommented:
well normally the dmz would be an additional physical port on the asa.  Is that how it is setup?  Do you just need to provide a NAT for this device on the DMZ.  Im not clear on exactly what you are trying to accomplish.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Mustafa OsmanMDAuthor Commented:
The MAC Mini is in the DMZ, we need this machine to send all the traffic to the internet through a specific IP address and a port number. We currently have one Outside connection to the internet from the ASA. can we have another IP address on the ASA without additional physical connection to the internet or?

I hope I am being clear as I could see the confusion there

thanks
0
Ken BooneNetwork ConsultantCommented:
Ok so let me ask a few questions as I am not 100% yet on what you want.

The MAC Mini in the DMZ... Does it simply just need to reach the internet?

or

Do folks on the internet need to reach it on a certain port?
0
Mustafa OsmanMDAuthor Commented:
Thank you I must admit I am a little confused myself.


Well basically the firewall has three interfaces one to the DMZ, the other to the internal network and the third to the outside world

Now we need to give the MAC mini a reserved IP address, direct all the traffic from the internet to reach that machine on port 22.

I am doing that remotely....obviously there will be someone at the site who will add the MAC mini and assign it an IP address.

Will I need another physical connection from the firewall connected to the outside world or I can use sub-interfaces? Second, can I direct all the traffic from the internet meant for that machine to reach that machine on port 22?

Thanks
0
Ken BooneNetwork ConsultantCommented:
Ok so now I understand what you need.

So lets look at it this way:

     |  Internet
     |
     |
   ASA-------------DMZ
     |
     |
     |  Inside/Internal Network


So a few assumptions here:.
#1)  You have a public IP address space assigned to you and a public IP address is configured on the outside interface.
        Question - How many free Public IP addresses do you have or do you just have 1 public IP address that was assigned to the ASA?

#2)  You have a private ip address network on your DMZ
#3)  You have a private IP address network on the inside.
#4)  The Mac Mini is physically on the DMZ and has a private IP address on the DMZ.

With those assumptions, you simply need to create a static NAT rule that will map a public IP address to the private IP address of the Mac Mini.  You can set this up so it NATs only when port 22 is being accessed, or for any port.  If you only have 1 public IP address (See assumption #1) then you have to do it at the port level.  If you have multiple public IP addresses then you can NAT the address for any port.  Regardless of how you do that part - and that part was just setting up the NAT rule so that translation can occur, you will need to update the access-list associated with the outside interface to allow port 22 traffic to that address.

You can do this without any other sub interfaces or additional networks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.