topic Re: Adding public IPs in Network Security

Adding public IPs

Delmiro Campelo — Tue, 12 Mar 2019 01:08:43 GMT

we have a /24 range of public IP addresses assigned to us by our ISP, what would be the process of assigning multiple public addresses on the outside interface on cisco asa running os version is 9.1 ? we have an outside, inside, and dmz interface. what command/s would acommplish this? server hosting services to the world are on the dmz, so traffic would need to be natted also.

Thanks for your help.

Delmiro

Re: Adding public IPs

Jouni Forss — Sun, 03 Mar 2013 15:29:41 GMT

Hi,

All this depends on how you are planning on using this /24 public network.

Is this whole network going to be used between your ASA and the ISP gateway?
Do you want to perhaps split the /24 to smaller segment?
- Keeping part of the segment between the ASA and ISP AND dedicating part of it to the DMZ directly so servers are configured with public IP addresses and have no need for NAT on the ASA. (Especially usefull when LAN hosts need connectivity to the servers also and you want to use the same public IP address that the Internet users get with DNS querys)

To give you some examples of the configurations

NAT Pool + PAT Overload (Using separate IP)

Using a NAT Pool and separate IP address as the PAT overload address

object-group network SOURCE-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

object network PAT-ADDRESS

host 1.1.1.126

object network NAT-POOL

range 1.1.1.2 1.1.1.125

object-group network NAT-POOL+PAT

network-object object NAT-POOL

network-object object PAT-ADDRESS

nat (any,outside) after-auto source dynamic SOURCE-NETWORKS NAT-POOL+PAT

NAT Pool + PAT Overload (using "outside" IP)

Using a NAT Pool and "outside" interface IP address as the PAT overload address

object-group network SOURCE-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

object network NAT-POOL

range 1.1.1.2 1.1.1.126

nat (any,outside) after-auto source dynamic SOURCE-NETWORKS NAT-POOL interface

In the above scenarios

10.10.10.0/24 = Example LAN network
192.168.10.0/24 = Example DMZ network
1.1.1.0/24 = Example public network
SOURCE-NETWORKS = An "object-group" that groups the 2 above mentioned networks into one group for easier NAT configuration.
NAT-POOL = An "object network" that contains the range of IP addresses used for the NAT Pool configuration. Can be any range you want naturally
nat = Is the actual NAT configuration line
(any,outside) = Makes it possible to use "any" source interface for the NAT (In this case both "inside" and "dmz" can use this configuration line)
after-auto = Moves this NAT configuration to the last section (Section 3) of the NAT rules so it doesnt override some other NAT configurations you might be doing
SOURCE-NETWORKS = Uses our previously configured "object-group" to define the source address for which NAT is done.
NAT-POOL = Uses our previously configured "object network" to define the NAT Pool
PAT-ADDRESS = Defines the PAT IP address IF we dont use the configuration using the "interface" parameter
NAT-POOL+PAT = Is an "object-group" that groups the NAT Pool and PAT address to a single "object-group" for the actual NAT configuration
interface = Defines that the "outside" interface IP address is used as a PAT overload IP address when the NAT Pool runs out

In the above examples we only use half of the /24 public network for the NAT Pool + PAT address. Rest of the IP addresses could for example be used as Static NAT address for either "inside" and/or "dmz" interface hosts.

As I mentioned you naturally have the option that you configure a /25 network between your ASA and your ISP

interface GigabitEthernet0/0

description WAN

nameif outside

security-level 0

ip add 1.1.1.1 255.255.255.128

And the ISP will route the 1.1.1.128/25 towards your "outside" interface IP address

You could then for example use part of that network directly at "dmz" interface and the rest as Static NAT addresses on the "outside" of your ASA

DMZ = 1.1.1.128/26
Static NAT = 1.1.1.192/26

interface GigabitEthernet0/2

description DMZ

nameif dmz

security-level 50

ip add 1.1.1.129 255.255.255.192

Not sure if I wrote the information above clearly enough. If the information was helpfull please rate If it answered your question mark the question as answered. Naturally if you have more questions and want to clarify something, please ask more.

- Jouni

Re: Adding public IPs

Delmiro Campelo — Sun, 03 Mar 2013 21:53:42 GMT

Thank you JounioForss for this great explanation, I apprecicate your help on this.We would want to split the /24 to be used for some hosts on the dmz, most of the time we just assign private ip addresses on dmz. Let me ask, where exactly are we assigning the public L3 address on ASA if we do this public-private translation? or do we just need to specify it on network object - host statement ? so that when the ASA sees a packet with a destination of 1.1.1.3 would know that it needs to do something with it.

Let's say I need to enable this host to talk to the world on port 80.

Public Network range: 1.1.1.0/24 (public) ISP given to us

Host Public IP: 1.1.1.3

Host Private IP: 10.10.10.3 (dmz)

Once again thanks for explaing this

Delmiro

Re: Adding public IPs

Jouni Forss — Sun, 03 Mar 2013 22:05:10 GMT

Hi,

The simple Static NAT configuration for an internal host would be

object network STATIC

host 10.10.10.3

nat (dmz,outside) static 1.1.1.3 dns

Where

STATIC = Is the name of the "object network". Can be anything you like. Try to come up with a good naming policy to serve your needs
host 10.10.10.3 = This defines the IP address under the "network object". In this case since we configure Static NAT under the "object network" too it naturally defines the real IP address for the Static NAT
(dmz,outside) = Defines the interfaces between which the Static NAT is done
1.1.1.3 = Is the public IP address used for the Static NAT

The above is naturally considering you want to use private IP addresses for the internal hosts and just use the public IP addresses as NAT addresses.

The other option that I suggested was to configure the DMZ hosts with the public IP addresses straight. But that naturally requires both you and your ISP to configure the setup in a different way

Basically

ASA to ISP would be 1.1.1.0/25
ASA "dmz" would be 1.1.1.128/26
ASA "outside" Static NAT range would be 1.1.1.192/26

In other words the ASA to ISP link would use half of the /24 network (/25) for NAT Pool / PAT / purposes. DMZ would hold /26 block and another /26 block would be reserved for Static NAT use (other interfaces than DMZ).

From a routing perspective the ISP would naturally configure the 1.1.1.0/25 on the link towards ASA. The ISP would also route the 1.1.1.128/25 towards your ASA (or route 1.1.1.128/26 and 1.1.1.192/26 towards ASA)

You can go with any setup that suites you best.

Please rate the replys if you have found the information helpfull

- Jouni

Re: Adding public IPs

Delmiro Campelo — Sun, 03 Mar 2013 23:05:21 GMT

it makes perfect sense now, this is very helpful, thank you JouniForss