topic Multiple public IP addresses in Network Security

Multiple public IP addresses

steve olisar — Mon, 11 Mar 2019 22:26:57 GMT

ASA newb here. This question has been asked before but the configurations seem to be different so they don't really answer my question. I think mine is pretty simple but I can't find a clear "this is what you do" answer. I've been reading the Cisco doc's trying to figure it out but they have so many different scenarios and examples that its a little overwhelming. Plus none of the seem to match mine 100%.

ASA 8.4

I have 6 public ip addresses and want to use 2 of them. I have two servers running an application that needs port 1234 accesable externally for updates. Can't change port numbers and obviously can't route 1234 two different places.

Say my range is 4.4.4.4 to 4.4.4.10. I want to use 4.4.4.4 and 4.4.4.5. My network currently looks like so:

4.4.4.4 <--> ASA <--> 192.168.0.0/24

I want:

4.4.4.4,4.4.4.5 <--> ASA <--> 192.168.0.0/24

Any ideas?

Multiple public IP addresses

Kimberly Adams — Thu, 09 Feb 2012 17:58:19 GMT

Steve,

What are you trying to do by having two IP addresses on the outside interface? Is this just for the servers? Depending on what you are trying to do, there are a couple of ways to do this.

Please give a little more information and we will be more helpful.

Thanks,

Kimberly

Multiple public IP addresses

steve olisar — Thu, 09 Feb 2012 18:19:18 GMT

Just for the two servers. I have two servers with the same software running on port 1234. They both need to be accessable externally.

Multiple public IP addresses

Kimberly Adams — Thu, 09 Feb 2012 18:43:02 GMT

Steve,

You can do this with a static NAT for your two servers on that specific port. It would look kind of like this:

static (inside,outside) 4.4.4.4 192.168.X.X 1234 netmask 255.255.255.255

static (inside,outside) 4.4.4.5 192.168.X.X 1234 netmask 255.255.255.255

Or if you want to set them up to use the outside interface only on that port you can do that too.

static (inside,outside) tcp interface 1234 192.168.X.X 1234 netmask 255.255.255.255

Thanks,

Kimberly

Multiple public IP addresses

tahequivoice — Thu, 09 Feb 2012 19:11:45 GMT

He is running 8.4, so the nat is different.

Create an object for each server inside IP and outside IP, then you create the nat statement to tie them together, then create the outside ACL to allow that port access from any source, the destination will be the REAL ip of the server, not the public IP.

object network server1

host 192.168.1.4

object network server2

host 192.168.1.5

object network server1-outside

host 4.4.4.5

object network server2-outside

host 4.4.4.6

object network server1

nat (inside,outside) static server1-outside

object network server2

nat (inside,outside) static server2-outside

Multiple public IP addresses

steve olisar — Thu, 09 Feb 2012 19:31:49 GMT

i get an error. invalid input detected and the marker is pointing at netmask

Multiple public IP addresses

steve olisar — Thu, 09 Feb 2012 19:40:20 GMT

if i go the object route as tahequivoice suggested i get:

ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded

Multiple public IP addresses

Kimberly Adams — Thu, 09 Feb 2012 20:09:40 GMT

I am sorry I totally missed the fact that he is running 8.4. You are so right on the money and this is also why he is getting the errors on the adding the older style static nat.

Thanks and good catch.

Kimberly

Multiple public IP addresses

tahequivoice — Thu, 09 Feb 2012 20:15:05 GMT

Use the ASDM it is SO much easier for a NOOB when it comes to 8.3/8.4, In the ASDM under firewll, the right hand window lists the objects. Create the object there as I described, then when all are done, click on the inside server, expand nat, choose static, and select the outside one you want to use. Clieck advanced, then slected the interfaces, and click OKAY

Apply and you should be all set. Dont forget the ACL and use the REAL IP.

Multiple public IP addresses

tahequivoice — Thu, 09 Feb 2012 20:16:20 GMT

BTW NooB not meant to offend, EVERY one who goes from 8.2 to 8.3 is a NooB.

Multiple public IP addresses

steve olisar — Thu, 09 Feb 2012 20:36:36 GMT

none taken.

Let me make sure i've got this right. I'll describe what i see in ASDM.

Line 1: Source Intf - inside, Dest Inft - Outside, Source - server2, Destination - any, Service - tcp/1234, Source - server2-outside, Destination - --Orginal--, Service --Original--

Line 2: Source Intf - outside, Dest Intf - inside, Source - any, Destination - server2-outside, Service - tcp/1234, Source --Original--(S), Destination - server 2, Service --Original--

I'm not entering your server1 info because I already have that setup and working.

ACL: Source - any, Destination - 192.168.1.5, Service - tcp/1234, Action - permit

Server2 = 192.168.1.5

Server2-Outside = 4.4.4.6 (my other external address)

Multiple public IP addresses

tahequivoice — Thu, 09 Feb 2012 20:40:19 GMT

It sounds right. Do a grab from the CLI and then I can tell if it is correct.

Multiple public IP addresses

steve olisar — Thu, 09 Feb 2012 20:45:13 GMT

object network server2

host 192.168.1.5

object network server2-outside

host 4.4.4.6

nat (inside,backup) static interface service tcp 1234 1234

object network server2

nat (inside,outside) static server2-outside service tcp 1234 1234

Multiple public IP addresses

steve olisar — Fri, 10 Feb 2012 19:18:20 GMT

i can confirm that this works. thanks a bunch.