Cisco ASA 5505 with Multiple IP address on outside interface

Hi there,

Have a cisco ASA5505, and the ISP has given us two IP addresses. What I would like to know, is it possible for the inside VLAN to use one of these, and the other IP be used for the DMZ VLAN (outbound access). ie if we were given 150.101.101.101 and 150.101.101.102 by the ISP on the outside interface. I want to be able to configure the ASA so if I did a whatismyip on the inside VLAN, I will get 150.101.101.101, and on the DMZ VLAN, I will get 150.101.101.102?
Im not worried about incoming, but more outbound traffic. I want the DMZ to appear that it is coming from a different IP address compared the pcs in the inside VLAN.

THanks
greentriangleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

max_the_kingCommented:
Hi,
if you want to give a public address to vlan2 (your outside interface) you need one more ip for the gateway ("route 0 0 150.101.101.102" , which will be your router). This means that you have just 1 public IP available to use for NAT (the public interface 150.101.101.101, which you set on vlan2). Your Vlan 1 will have private address.
So the answer is NO, you cannot use one for inside machines and one for DMZ. To do that you need to ask your ISP for more oublic IPs (at least 4 in total, although they usually provide an entire subnet with 8 IPs).
At the moment i'm afraid you can only use 150.101.101.101 to nat both inside and dmz to go to the internet

hope this helps
max
0
Jan SpringerCommented:
If you have more than one IP for the outside subnet, one goes on the outside interface and the other can be used as a static NAT for an inside address.

As long as both IPs are in the same subnet or the second IP is routed to the outside IP, once you create the static, you are good to go.
0
rauenpcCommented:
If your ISP has allocated you two IP's for use, then yes, you can configure one group of addresses to dynamically nat to one IP and another group to dynamically nat to the other IP.
If you ISP gave you "two" IP's, one for you and one as a gateway, then you actually only have 1 IP available for use. As long as you have multiple useable public IP's you can NAT to whatever IP you want.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

greentriangleAuthor Commented:
Rauenpc, do you have an example of the config I would require?

Thanks,
0
rauenpcCommented:
Sure. Let's say you have an IP of 24.1.1.2 configured on your outside interface, and the ISP also has assigned you 98.100.100.1 as a usable IP address. You want to have email/SMTP come in on the interface IP, but you want to have OWA use the other available static IP. Interface and routing configuration is as normal. NAT configuration is also normal, but at first glance might seem odd because only the NAT references the 98.100.100.1 IP address. Since the ISP will be sending you packets with the destination of 98.100.100.1, the ASA will know what do to with it. The following is 8.4 code configuration.

!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.1.1.2 255.255.255.252
!
object network EXTHOST-98.100.100.1
host 98.100.100.1
!
object network HOST-EXCHANGE
host 172.20.0.10
!
object network HOST-EXCHANGE-OWA
host 172.20.0.10
!
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any object HOST-EXCHANGE eq smtp
access-list INBOUND extended permit tcp any object HOST-EXCHANGE-OWA eq https
!
object network HOST-EXCHANGE
nat (inside,outside) static interface service tcp smtp smtp
!
object network HOST-EXCHANGE-OWA
nat (inside,outside) static EXTHOST-98.100.100.1 service tcp https https
!
access-group INBOUND in interface outside

Open in new window

0
greentriangleAuthor Commented:
thanks rauenpc.  What about going the other way. For example a server in the DMZ having its external IP address as the 98.100.100.1 and the inside VLAN as 24.1.1.2 (so it looks like the server from the DMZ is coming from 98.100.100.1 if sending traffic externally, while the pcs in the inside vlan look like they are coming from 24.1.1.2)
0
rauenpcCommented:
I suppose my example was very port specific. You would simply make an object for the entire internal subnet and nat it to the outside interface. You would then make a static nat (not a port-forwarding PAT) to the DMZ server. The example would be for a DMZ server that has https available to the outside, and will always appear as 98.100.100.1 regardless of the outgoing traffic.

object network EXTHOST-98.100.100.1
host 98.100.100.1
!
object network INTERNAL
SUBNET 172.20.0.0 255.255.255.0
!
object network HOST-DMZ-SERVER
host 192.168.255.10
!
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any object HOST-DMZ-SERVER eq https
!
object network INTERNAL
nat (inside,outside) dynamic interface
!
object network HOST-DMZ-SERVER
nat (inside,outside) static EXTHOST-98.100.100.1
!

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.