[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1346
  • Last Modified:

Can I assign secondary IP addresses to Cisco firewall interface?

Can I assign secondary IP addresses to Cisco firewall interface?
0
Mustafa Osman
Asked:
Mustafa Osman
  • 4
  • 3
1 Solution
 
Ken BooneNetwork ConsultantCommented:
No.
If you need to do that, configure the ASA with sub interfaces and assign the appropriate vlans to them.  Then put the the address on a different vlan.  Trunk both vlans from the switch to the ASA.  

Here is a document that describes this:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/intrface.html#wp1044006
0
 
Mustafa OsmanAuthor Commented:
Thanks

All what I need to do is add an external IP address from one machine in the DMZ to access the internet through that address only do I need an VLAN then? or not?
0
 
Ken BooneNetwork ConsultantCommented:
well normally the dmz would be an additional physical port on the asa.  Is that how it is setup?  Do you just need to provide a NAT for this device on the DMZ.  Im not clear on exactly what you are trying to accomplish.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Mustafa OsmanAuthor Commented:
The MAC Mini is in the DMZ, we need this machine to send all the traffic to the internet through a specific IP address and a port number. We currently have one Outside connection to the internet from the ASA. can we have another IP address on the ASA without additional physical connection to the internet or?

I hope I am being clear as I could see the confusion there

thanks
0
 
Ken BooneNetwork ConsultantCommented:
Ok so let me ask a few questions as I am not 100% yet on what you want.

The MAC Mini in the DMZ... Does it simply just need to reach the internet?

or

Do folks on the internet need to reach it on a certain port?
0
 
Mustafa OsmanAuthor Commented:
Thank you I must admit I am a little confused myself.


Well basically the firewall has three interfaces one to the DMZ, the other to the internal network and the third to the outside world

Now we need to give the MAC mini a reserved IP address, direct all the traffic from the internet to reach that machine on port 22.

I am doing that remotely....obviously there will be someone at the site who will add the MAC mini and assign it an IP address.

Will I need another physical connection from the firewall connected to the outside world or I can use sub-interfaces? Second, can I direct all the traffic from the internet meant for that machine to reach that machine on port 22?

Thanks
0
 
Ken BooneNetwork ConsultantCommented:
Ok so now I understand what you need.

So lets look at it this way:

     |  Internet
     |
     |
   ASA-------------DMZ
     |
     |
     |  Inside/Internal Network


So a few assumptions here:.
#1)  You have a public IP address space assigned to you and a public IP address is configured on the outside interface.
        Question - How many free Public IP addresses do you have or do you just have 1 public IP address that was assigned to the ASA?

#2)  You have a private ip address network on your DMZ
#3)  You have a private IP address network on the inside.
#4)  The Mac Mini is physically on the DMZ and has a private IP address on the DMZ.

With those assumptions, you simply need to create a static NAT rule that will map a public IP address to the private IP address of the Mac Mini.  You can set this up so it NATs only when port 22 is being accessed, or for any port.  If you only have 1 public IP address (See assumption #1) then you have to do it at the port level.  If you have multiple public IP addresses then you can NAT the address for any port.  Regardless of how you do that part - and that part was just setting up the NAT rule so that translation can occur, you will need to update the access-list associated with the outside interface to allow port 22 traffic to that address.

You can do this without any other sub interfaces or additional networks.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now