topic HiYes it's possible, it's in Network Security

Multiple public IP Addresses on ASA 5505

Vikrant Ambhore — Tue, 12 Mar 2019 05:58:53 GMT

Is it possible to configure multiple public IP Addresses (around-8) on Cisco ASA 5505, actuly we have total 3 servers behind the firewall and more
application working on below mentioned ports actuly I want to translate traffic 80 to 8080(Private IP) as per below mentioned details

LAN IP:-
Node-1 -----192.168.1.5
Node-2 -----192.168.1.2
Node-3 -----192.168.1.3
Sample Public IP which you will configure on ASA:- XX.XX.XX.--

Node-1
192.168.1.5:80 <--------------------------------> XX.XX.XX.1:80
192.168.1.5:8080 <--------------------------------> XX.XX.XX.2:80 ---------------------Here 80 port must be forward to 8080
192.168.1.5:8983 <--------------------------------> XX.XX.XX.1:8983
192.168.1.5:7070 <--------------------------------> XX.XX.XX.3:80 --------------------- Here 80 port must be forward to 7070
192.168.1.5:9983 <--------------------------------> XX.XX.XX.3:9983
192.168.1.5:22 <--------------------------------> XX.XX.XX.1:10222 --------------------- Here 10222 port must be forward to 22

Node-2
192.168.1.2:80 <--------------------------------> XX.XX.XX.4:80
192.168.1.2:8080 <--------------------------------> XX.XX.XX.5:80
192.168.1.2:85 <--------------------------------> XX.XX.XX.5:85
192.168.1.2:3389 <--------------------------------> XX.XX.XX.5:10389 --------------------- Here 10389 port must be forward to 3389

Node-3
192.168.1.3:80 <--------------------------------> XX.XX.XX.6:80
192.168.1.3:8080 <--------------------------------> XX.XX.XX.6:8080
192.168.1.3:9983 <--------------------------------> XX.XX.XX.6:9983
192.168.1.3:8983 <--------------------------------> XX.XX.XX.6:8983
192.168.1.3:22 <--------------------------------> XX.XX.XX.6:10222 --------------------- Here 10222 port must be forward to 22
192.168.1.3:7070 <--------------------------------> XX.XX.XX.7:80 --------------------- Here 80 port must be forward to 7070

HiYes it's possible, it's

Henrik Grankvist — Fri, 22 May 2015 14:14:40 GMT

Yes it's possible, it's very easy actually. The hard part is to get 3 public IP addresses.

On the ASA, there are no

Karsten Iwen — Fri, 22 May 2015 14:19:46 GMT

On the ASA, there are no multiple addresses on an interface. But your scenario is solved with NAT.

For each node/port-combination you configure an object and define the NAT-settings (which are a port-forwarding):

object network NODE1-80
 host 192.168.1.5
 nat (inside,outside) static XX.XX.XX.1 tcp 80 80
object network NODE1-8080
 host 192.168.1.5
 nat (inside,outside) static XX.XX.XX.2 tcp 8080 80
object network NODE1-8983
 host 192.168.1.5
 nat (inside,outside) static XX.XX.XX.1 tcp 8983 8983

And the traffic needs to be allowed on the outside interface:

object network NODE1 host 192.168.1.5
!
access-list list OUTSIDE-ACCESS-IN permit tcp any object NODE1 eq 80
access-list list OUTSIDE-ACCESS-IN permit tcp any object NODE1 eq 8080
access-list list OUTSIDE-ACCESS-IN permit tcp any object NODE1 eq 8983

That needs to be done for all ports and all nodes.

Hi All,Thanks to all Now

Vikrant Ambhore — Sat, 23 May 2015 08:11:22 GMT

Hi All,

Thanks to all Now working fine as per my requirements but im worried about security also having some issue behind the firewall, we are facing some Internet issue on Server whatever we start download on server its downloading always freeze for long time. Looks like its network related issue or maybe related to DNS, would be a great if you can review my below config and please suggest if any changes required.

ASA Version 8.2(5)
!
hostname XX.XX.XX.XX
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX.XXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
description uplink from switch
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/2
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/3
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif outside
security-level 0
ip address XX.XX.XX.31 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group COLODNS
name-server 127.0.0.1
name-server 8.8.8.8
name-server 192.168.1.1
name-server 206.183.111.1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit ip any any
access-list inside_access extended permit ip any any
access-list inside_access extended deny ip any any inactive
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq ssh
pager lines 24
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XX.XX.32 www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.33 www 192.168.1.5 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 www 192.168.1.5 7070 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.32 8983 192.168.1.5 8983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 9983 192.168.1.5 9983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 10222 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.36 www 192.168.1.2 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 85 192.168.1.2 85 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 10389 192.168.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 www 192.168.1.3 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 8080 192.168.1.3 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 10222 192.168.1.3 ssh netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 9983 192.168.1.3 9983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 8983 192.168.1.3 8983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.38 www 192.168.1.3 7070 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http XXX.XXX.111.25 255.255.255.255 outside
http XXX.XXX.111.235 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh XXX.XXX.XXX.25 255.255.255.255 outside
ssh XXX.XXX.XXX.235 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password XXX encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e848ee77bf67de57b04768ff5785f4f3
: end

Thanks you!Very clear!

kevg89721 — Thu, 28 May 2015 20:12:25 GMT

Thanks you!

Very clear!