ASA5505 with multiple WAN IPs

joelpc1976 — Mon, 11 Mar 2019 23:34:29 GMT

We are trying to utilize a 5 ip block of addresses provided by our ISP. What we have assigned from them is like this: 10.10.10.46 - 10.10.10.50 is our ip range. 10.10.10.45 is the gateway. Subnet is 255.255.255.248. If we assign 10.10.10.46 to the outside interface how do we accept inbound traffic from the other addresses?

Sent from Cisco Technical Support iPad App

ASA5505 with multiple WAN IPs

Jennifer Halim — Wed, 25 Jul 2012 16:56:01 GMT

You can configure static NAT/PAT statement for other public ip addresses for server/host that you need to access from the Internet, and/or you can also use the outside interface ip address if you wish for static PAT or dynamic NAT for outbound traffic.

Re: ASA5505 with multiple WAN IPs

joelpc1976 — Wed, 25 Jul 2012 20:28:19 GMT

We have it configured and working. Here is the config we ended up with:

sunASA# sho run

: Saved

ASA Version 8.2(5)

hostname sunASA

enable password we6FLtDQaEWgnshV encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 71.13.207.147 Ext147

name 71.13.207.148 Ext148

name 71.13.207.149 Ext149

name 71.13.207.150 Ext150

name 192.168.1.2 Int2

name 192.168.1.3 Int3

name 192.168.1.250 Int250

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 71.13.207.146 255.255.255.248

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Ext148Services tcp

description External Mac Server Services

port-object eq 8080

port-object eq www

access-list outside_access_in extended permit tcp any host Ext148 object-group Ext148Services

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp Ext148 www Int250 www netmask 255.255.255.255

static (inside,outside) tcp Ext148 8080 Int250 4522 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 71.13.207.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

aaa authorization exec LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username oeiadmin password 9DRNhjMtDBmrsdKh encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:758060bbc1cd530d19bda49003222197

: end

Any thoughts on if we could improve anything in here?

Sent from Cisco Technical Support iPad App

Re: ASA5505 with multiple WAN IPs

Ramraj Sivagnanam Sivajanam — Thu, 26 Jul 2012 02:07:27 GMT

Please add these commands

access-list inside permit ip any any

access-group inside in interface inside

By the way, what do you mean by " If we assign 10.10.10.46 to the outside interface"... Why do you want to assign a private ip to your outside interface when you already have a public ip 71.13.207.146/29 assigned to it?

Re: ASA5505 with multiple WAN IPs

nkarthikeyan — Thu, 26 Jul 2012 04:47:51 GMT

Hi Joel,

You can use 1 public ip for outside and rest other 4 IP's you can use it for Static NAT to the servers like DNS,SMTP ...etc and keep the remaining spare ip's for the future refernce. Else you can use dynamic PAT to use all the IP's for PAT purpose like the below.

global (outside) 1 71.13.207.147-71.13.207.150 netmask 255.255.255.248

nat(inside) 1 192.168.1.0 netmask 255.255.255.0

Thats up to you all i can say.

Please do rate for the helpful posts.

Karthik

Re: ASA5505 with multiple WAN IPs

Jennifer Halim — Thu, 26 Jul 2012 17:11:18 GMT

What you have configured is already correct:

static (inside,outside) tcp Ext148 www Int250 www netmask 255.255.255.255

static (inside,outside) tcp Ext148 8080 Int250 4522 netmask 255.255.255.255

That is how you configured the static PAT statement to allow inbound connection to Int250 host on port 80 and 4522 using public ip address of Ext148.

Re: ASA5505 with multiple WAN IPs

joelpc1976 — Thu, 26 Jul 2012 18:56:28 GMT

Thanks everyone for the responses. Really appreciate the help. We have it up and running with a config very similar to the one I previously posted.

Sent from Cisco Technical Support iPad App

topic Re: ASA5505 with multiple WAN IPs in Network Security

ASA5505 with multiple WAN IPs

ASA5505 with multiple WAN IPs

Re: ASA5505 with multiple WAN IPs

Re: ASA5505 with multiple WAN IPs

Re: ASA5505 with multiple WAN IPs

Re: ASA5505 with multiple WAN IPs

Re: ASA5505 with multiple WAN IPs