How could configure the ASA-5515X for Public IP

Hello,

Could anyone give me a sample configuration for the below scenario.

ISP gives a point to point IP and a Public IP range. How could configure the ASA-5515X (8.6) for given multiple Public IP.

Like-
Point to Point IP : 100.1.1.2 – 100.1.1.3
Public IP range for Internal Server:  200.1.1.2 – 200.1.1.20  

Public IP will be used directly on internal Server and not use for masking Private IP. Also don’t want to configure VLAN in ASA.

Thanks in advance.
Musabr59 IbnrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Musabr59 IbnrAuthor Commented:
Hi Muhammad Burhan,

Thanks for response.

But I need to know how to configure ASA for multiple Public IP which will be directly used on internal server behind the ASA not VPN configuration.
0
Pete LongTechnical ConsultantCommented:
Hi your post is confusing? do you have two public ranges you want to use?

Pete
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

ArchiTech89IT Security EngineerCommented:
So if I understand correctly...

1. You want PPP on the 'outside' interface going to an ISP to use one of the 2 IP addresses you've mentioned--either 100.1.1.2 or 100.1.1.3, presumably with the upstream router at 100.1.1.1.

2. You want to use an address from the block of IPs you've been given of 200.1.1.2 to 200.1.1.20 on the 'inside' interface to connect to your server, probably using 200.1.1.2 as the default route for the server.

Did I get that right? If so, I'm not sure what's going on here.

With number 1, it's a little odd because it would likely need a /29, leaving 6 usable host addresses. But you only list 2 (3, if you include the assumed next hop router).

And with number 2, this is again tipping towards odd to me--to have that many hosts, you'd have to have a /27, which would normally allow for 30 hosts, not 19.

Furthermore, if you do that, you'd have to put every other device on the inside on the same public address space assigned to the segment. And that might not be doable.

You'd normally handle the server issue with NAT. You'd give the server a non-routable (RFC 1918) IP address inside the firewall, and then on the firewall itself, NAT the inside 'private' IP address to the outside 'public' one. That means that the server thinks of itself as a 172.16.0.10 address for example, but when the world wants to contact it, they would send traffic to 200.1.1.10--something like that. I know you said that's not what you want, but it is common practice.

Maybe you could clarify your needs a bit?
0
Musabr59 IbnrAuthor Commented:
Thanks for your time.

Sorry for security purpose I don’t want to mention actual Public IP.

Let me explain  –

ISP gives a point to point IP: 100.50.50.252/30 [100.50.50.253 - 100.50.50.254] for outside interface. I’ll use 100.50.50.253 for my ASA outside interface.

ISP also gives me Public IP block like-  100.50.50.208/29  [100.50.50.209 - 100.50.50.214]

I know its common practice to masking private IP through Public IP but I need to use Public IP directly on my internal server. Network scenario :

ISP-link-->outside_interface<---ASA--->inside_interface-->Router->Switch

I need to know, how to configure this Public IP [100.50.50.208/29] block in ASA for internal server.
0
ArchiTech89IT Security EngineerCommented:
Well, you can probably just use identity NAT. Something like this (post ASA version 8.3)...

First, create a network object:
    object network PUB-100.50.50.210
        host 100.50.50.210
        exit


Then just NAT it to itself:
    nat (inside,outside) source static PUB-100.50.50.210 PUB-100.50.50.210

I think that should do what you're describing.

P.S. You'd do that for each server/device you want to use a public IP with.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Musabr59 IbnrAuthor Commented:
If I use range for network object -

object network PUB-IP-Block
range 100.50.50.209 100.50.50.214


nat (inside,outside) source static PUB-IP-Block PUB-IP-Block

Would it work ?
0
ArchiTech89IT Security EngineerCommented:
It might. But I don't know if syntax for the actual NAT command might be different when dealing with a subnet. You'd have to check. Either that or give it a try. ;-)

Here's the 8.4/8.6 configuration guide link for NAT:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html

Good luck!
0
Musabr59 IbnrAuthor Commented:
Hi Noel,

I’m planning to implement this in ASA.

Thanks again for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.