Solved

Cisco ASA 5505 with Multiple IP address on outside interface

Posted on 2014-09-04
7
3,303 Views
Last Modified: 2014-09-08
Hi there,

Have a cisco ASA5505, and the ISP has given us two IP addresses. What I would like to know, is it possible for the inside VLAN to use one of these, and the other IP be used for the DMZ VLAN (outbound access). ie if we were given 150.101.101.101 and 150.101.101.102 by the ISP on the outside interface. I want to be able to configure the ASA so if I did a whatismyip on the inside VLAN, I will get 150.101.101.101, and on the DMZ VLAN, I will get 150.101.101.102?
Im not worried about incoming, but more outbound traffic. I want the DMZ to appear that it is coming from a different IP address compared the pcs in the inside VLAN.

THanks
0
Comment
Question by:greentriangle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 40303119
Hi,
if you want to give a public address to vlan2 (your outside interface) you need one more ip for the gateway ("route 0 0 150.101.101.102" , which will be your router). This means that you have just 1 public IP available to use for NAT (the public interface 150.101.101.101, which you set on vlan2). Your Vlan 1 will have private address.
So the answer is NO, you cannot use one for inside machines and one for DMZ. To do that you need to ask your ISP for more oublic IPs (at least 4 in total, although they usually provide an entire subnet with 8 IPs).
At the moment i'm afraid you can only use 150.101.101.101 to nat both inside and dmz to go to the internet

hope this helps
max
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40303751
If you have more than one IP for the outside subnet, one goes on the outside interface and the other can be used as a static NAT for an inside address.

As long as both IPs are in the same subnet or the second IP is routed to the outside IP, once you create the static, you are good to go.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 40304680
If your ISP has allocated you two IP's for use, then yes, you can configure one group of addresses to dynamically nat to one IP and another group to dynamically nat to the other IP.
If you ISP gave you "two" IP's, one for you and one as a gateway, then you actually only have 1 IP available for use. As long as you have multiple useable public IP's you can NAT to whatever IP you want.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:greentriangle
ID: 40308990
Rauenpc, do you have an example of the config I would require?

Thanks,
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 40309857
Sure. Let's say you have an IP of 24.1.1.2 configured on your outside interface, and the ISP also has assigned you 98.100.100.1 as a usable IP address. You want to have email/SMTP come in on the interface IP, but you want to have OWA use the other available static IP. Interface and routing configuration is as normal. NAT configuration is also normal, but at first glance might seem odd because only the NAT references the 98.100.100.1 IP address. Since the ISP will be sending you packets with the destination of 98.100.100.1, the ASA will know what do to with it. The following is 8.4 code configuration.

!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.1.1.2 255.255.255.252
!
object network EXTHOST-98.100.100.1
host 98.100.100.1
!
object network HOST-EXCHANGE
host 172.20.0.10
!
object network HOST-EXCHANGE-OWA
host 172.20.0.10
!
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any object HOST-EXCHANGE eq smtp
access-list INBOUND extended permit tcp any object HOST-EXCHANGE-OWA eq https
!
object network HOST-EXCHANGE
nat (inside,outside) static interface service tcp smtp smtp
!
object network HOST-EXCHANGE-OWA
nat (inside,outside) static EXTHOST-98.100.100.1 service tcp https https
!
access-group INBOUND in interface outside

Open in new window

0
 

Author Comment

by:greentriangle
ID: 40309888
thanks rauenpc.  What about going the other way. For example a server in the DMZ having its external IP address as the 98.100.100.1 and the inside VLAN as 24.1.1.2 (so it looks like the server from the DMZ is coming from 98.100.100.1 if sending traffic externally, while the pcs in the inside vlan look like they are coming from 24.1.1.2)
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 40309914
I suppose my example was very port specific. You would simply make an object for the entire internal subnet and nat it to the outside interface. You would then make a static nat (not a port-forwarding PAT) to the DMZ server. The example would be for a DMZ server that has https available to the outside, and will always appear as 98.100.100.1 regardless of the outgoing traffic.

object network EXTHOST-98.100.100.1
host 98.100.100.1
!
object network INTERNAL
SUBNET 172.20.0.0 255.255.255.0
!
object network HOST-DMZ-SERVER
host 192.168.255.10
!
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any object HOST-DMZ-SERVER eq https
!
object network INTERNAL
nat (inside,outside) dynamic interface
!
object network HOST-DMZ-SERVER
nat (inside,outside) static EXTHOST-98.100.100.1
!

Open in new window

0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question