Solved

Cisco ASA 5505 with Multiple IP address on outside interface

Posted on 2014-09-04
7
2,868 Views
Last Modified: 2014-09-08
Hi there,

Have a cisco ASA5505, and the ISP has given us two IP addresses. What I would like to know, is it possible for the inside VLAN to use one of these, and the other IP be used for the DMZ VLAN (outbound access). ie if we were given 150.101.101.101 and 150.101.101.102 by the ISP on the outside interface. I want to be able to configure the ASA so if I did a whatismyip on the inside VLAN, I will get 150.101.101.101, and on the DMZ VLAN, I will get 150.101.101.102?
Im not worried about incoming, but more outbound traffic. I want the DMZ to appear that it is coming from a different IP address compared the pcs in the inside VLAN.

THanks
0
Comment
Question by:greentriangle
7 Comments
 
LVL 15

Expert Comment

by:max_the_king
ID: 40303119
Hi,
if you want to give a public address to vlan2 (your outside interface) you need one more ip for the gateway ("route 0 0 150.101.101.102" , which will be your router). This means that you have just 1 public IP available to use for NAT (the public interface 150.101.101.101, which you set on vlan2). Your Vlan 1 will have private address.
So the answer is NO, you cannot use one for inside machines and one for DMZ. To do that you need to ask your ISP for more oublic IPs (at least 4 in total, although they usually provide an entire subnet with 8 IPs).
At the moment i'm afraid you can only use 150.101.101.101 to nat both inside and dmz to go to the internet

hope this helps
max
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40303751
If you have more than one IP for the outside subnet, one goes on the outside interface and the other can be used as a static NAT for an inside address.

As long as both IPs are in the same subnet or the second IP is routed to the outside IP, once you create the static, you are good to go.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 40304680
If your ISP has allocated you two IP's for use, then yes, you can configure one group of addresses to dynamically nat to one IP and another group to dynamically nat to the other IP.
If you ISP gave you "two" IP's, one for you and one as a gateway, then you actually only have 1 IP available for use. As long as you have multiple useable public IP's you can NAT to whatever IP you want.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:greentriangle
ID: 40308990
Rauenpc, do you have an example of the config I would require?

Thanks,
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 40309857
Sure. Let's say you have an IP of 24.1.1.2 configured on your outside interface, and the ISP also has assigned you 98.100.100.1 as a usable IP address. You want to have email/SMTP come in on the interface IP, but you want to have OWA use the other available static IP. Interface and routing configuration is as normal. NAT configuration is also normal, but at first glance might seem odd because only the NAT references the 98.100.100.1 IP address. Since the ISP will be sending you packets with the destination of 98.100.100.1, the ASA will know what do to with it. The following is 8.4 code configuration.

!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.1.1.2 255.255.255.252
!
object network EXTHOST-98.100.100.1
host 98.100.100.1
!
object network HOST-EXCHANGE
host 172.20.0.10
!
object network HOST-EXCHANGE-OWA
host 172.20.0.10
!
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any object HOST-EXCHANGE eq smtp
access-list INBOUND extended permit tcp any object HOST-EXCHANGE-OWA eq https
!
object network HOST-EXCHANGE
nat (inside,outside) static interface service tcp smtp smtp
!
object network HOST-EXCHANGE-OWA
nat (inside,outside) static EXTHOST-98.100.100.1 service tcp https https
!
access-group INBOUND in interface outside

Open in new window

0
 

Author Comment

by:greentriangle
ID: 40309888
thanks rauenpc.  What about going the other way. For example a server in the DMZ having its external IP address as the 98.100.100.1 and the inside VLAN as 24.1.1.2 (so it looks like the server from the DMZ is coming from 98.100.100.1 if sending traffic externally, while the pcs in the inside vlan look like they are coming from 24.1.1.2)
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 40309914
I suppose my example was very port specific. You would simply make an object for the entire internal subnet and nat it to the outside interface. You would then make a static nat (not a port-forwarding PAT) to the DMZ server. The example would be for a DMZ server that has https available to the outside, and will always appear as 98.100.100.1 regardless of the outgoing traffic.

object network EXTHOST-98.100.100.1
host 98.100.100.1
!
object network INTERNAL
SUBNET 172.20.0.0 255.255.255.0
!
object network HOST-DMZ-SERVER
host 192.168.255.10
!
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any object HOST-DMZ-SERVER eq https
!
object network INTERNAL
nat (inside,outside) dynamic interface
!
object network HOST-DMZ-SERVER
nat (inside,outside) static EXTHOST-98.100.100.1
!

Open in new window

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now