https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739929#M11591 <P>But as per your orginal message</P> <P>&nbsp;</P> <P>What I need:</P> <P>- Any external traffic arriving on 10.0.0.2 ports 80, 443 to forward to internal host 192.168.1. 20.</P> <P>&nbsp;</P> <P>So we have suggested for single IP, if your requirement Multiple IP explain more please , Multiple IP also possible but we would like to know use case to suggest better rather assumptions.</P> Tue, 06 Nov 2018 10:40:21 GMT balaji.bandi 2018-11-06T10:40:21Z https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739465#M11580 <P>This is a dumbed down version of what I'm trying to do, but if I can get this much figured out I'm golden.</P> <P>&nbsp;</P> <P>The setup:</P> <P>- ASA 5505 running 9.2.4(28)</P> <P>- ISP has assigned block of external IPs 10.0.0.1-10.0.0.14</P> <P>- ASA's outside interface can "see" traffic on all external IPs</P> <P>- ASA's outside interface configured for 10.0.0.1</P> <P>- ASA's inside configured for 192.168.1.1 (255.255.255.0 to keep it simple)</P> <P>&nbsp;</P> <P>What I need:</P> <P>- Any external traffic arriving on 10.0.0.2 ports 80, 443 to forward to internal host 192.168.1. 20.</P> <P>&nbsp;</P> <P>Is this possible? And if so how do I do it (details pretty pretty please with sugar on top).</P> Fri, 21 Feb 2020 16:26:10 GMT https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739465#M11580 GrootLives 2020-02-21T16:26:10Z https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739471#M11581 <P>Hi,</P> <P>Try this:-</P> <P>&nbsp;</P> <P><EM>object network SRV1</EM><BR /><EM>&nbsp;host 192.168.1.20</EM><BR /><EM>&nbsp;nat (inside,outside) static 10.0.0.2</EM><BR /><EM>access-list OUTSIDE-&gt;IN permit tcp any host 192.168.1.20 eq 443</EM><BR /><EM>access-list OUTSIDE-&gt;IN permit tcp any host 192.168.1.20 eq 80</EM></P> <P>&nbsp;</P> <P>You will probably have to change the ACL name and possibly also the interface names (inside,outside).</P> <P>&nbsp;</P> <P>HTH</P> Mon, 05 Nov 2018 22:01:57 GMT https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739471#M11581 Rob Ingram 2018-11-05T22:01:57Z https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739474#M11583 <P>Good example guide for your reference :</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html</A></P> <P>&nbsp;</P> Mon, 05 Nov 2018 22:06:01 GMT https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739474#M11583 balaji.bandi 2018-11-05T22:06:01Z https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739617#M11585 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/282064">@GrootLives</a>&nbsp;wrote:<BR /> <P>This is a dumbed down version of what I'm trying to do, but if I can get this much figured out I'm golden.</P> <P>&nbsp;</P> <P>The setup:</P> <P>- ASA 5505 running 9.2.4(28)</P> <P>- ISP has assigned block of external IPs 10.0.0.1-10.0.0.14</P> <P>- ASA's outside interface can "see" traffic on all external IPs</P> <P>- ASA's outside interface configured for 10.0.0.1</P> <P>- ASA's inside configured for 192.168.1.1 (255.255.255.0 to keep it simple)</P> <P>&nbsp;</P> <P>What I need:</P> <P>- Any external traffic arriving on 10.0.0.2 ports 80, 443 to forward to internal host 192.168.1. 20.</P> <P>&nbsp;</P> <P>Is this possible? And if so how do I do it (details pretty pretty please with sugar on top).</P> <HR /></BLOCKQUOTE> <P>Looks promising. I'll give it a go tomorrow. Done for the day.</P> <P>&nbsp;</P> <BLOCKQUOTE><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/286878">@balaji.bandi</a>&nbsp;wrote:<BR /> <P>Good example guide for your reference :</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html</A></P> <P>&nbsp;</P> </BLOCKQUOTE> <P>&nbsp;Easy to read to guide. Only uses a single IP though. Have to see if it scales up to multiple IPs. Again I'll check it out tomorrow.</P> Tue, 06 Nov 2018 00:12:16 GMT https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739617#M11585 GrootLives 2018-11-06T00:12:16Z https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739866#M11588 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a></P> <P>thats interesting! i've always configured it like this:</P> <P>object network websvr-ext<BR />&nbsp;&nbsp;&nbsp; host 10.0.0.2<BR />object network websvr-int-80<BR />&nbsp; host 192.168.1.20<BR />&nbsp; nat (inside,outside) static websvr-ext service tcp 80 80<BR />object network websvr-int-443<BR />&nbsp; host 192.168.1.20<BR />&nbsp; nat (inside,outside) static websvr-ext service tcp 443 443<BR /><BR />access-list OUTSIDE-IN ext permit tcp any object websvr-int eq 80<BR />access-list OUTSIDE-IN ext permit tcp any object websvr-int eq 443</P> <P>&nbsp;</P> <P>will have to test your config sometime.</P> <P>regards, mk</P> Tue, 06 Nov 2018 08:45:46 GMT https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739866#M11588 mkazam001 2018-11-06T08:45:46Z https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739929#M11591 <P>But as per your orginal message</P> <P>&nbsp;</P> <P>What I need:</P> <P>- Any external traffic arriving on 10.0.0.2 ports 80, 443 to forward to internal host 192.168.1. 20.</P> <P>&nbsp;</P> <P>So we have suggested for single IP, if your requirement Multiple IP explain more please , Multiple IP also possible but we would like to know use case to suggest better rather assumptions.</P> Tue, 06 Nov 2018 10:40:21 GMT https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739929#M11591 balaji.bandi 2018-11-06T10:40:21Z https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739970#M11592 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/130309">@mkazam001</a>&nbsp;wrote:<BR /> <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a></P> <P>thats interesting! i've always configured it like this:</P> <P>object network websvr-ext<BR />&nbsp;&nbsp;&nbsp; host 10.0.0.2<BR />object network websvr-int-80<BR />&nbsp; host 192.168.1.20<BR />&nbsp; nat (inside,outside) static websvr-ext service tcp 80 80<BR />object network websvr-int-443<BR />&nbsp; host 192.168.1.20<BR />&nbsp; nat (inside,outside) static websvr-ext service tcp 443 443<BR /><BR />access-list OUTSIDE-IN ext permit tcp any object websvr-int eq 80<BR />access-list OUTSIDE-IN ext permit tcp any object websvr-int eq 443</P> <P>&nbsp;</P> <P>will have to test your config sometime.</P> <P>regards, mk</P> <HR /></BLOCKQUOTE> <P>That seemed to do the trick. Thanks everyone.</P> Tue, 06 Nov 2018 12:15:42 GMT https://community.cisco.com/t5/network-security/multiple-external-ips-on-asa-5505/m-p/3739970#M11592 GrootLives 2018-11-06T12:15:42Z