https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609833#M559753 <P>Will I break anything if I create a second IP address on the physical externa<SPAN style="background-color: #f8fafd;">l interface of our ASA 5510?&nbsp; I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.&nbsp; </SPAN></P> Mon, 11 Mar 2019 20:08:02 GMT clippersbaseball 2019-03-11T20:08:02Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609833#M559753 <P>Will I break anything if I create a second IP address on the physical externa<SPAN style="background-color: #f8fafd;">l interface of our ASA 5510?&nbsp; I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.&nbsp; </SPAN></P> Mon, 11 Mar 2019 20:08:02 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609833#M559753 clippersbaseball 2019-03-11T20:08:02Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609834#M559754 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Just to clarify the ASA won't support secondary IP addresses.</P><P>Is this what you mean?</P><P><BR />Federico.</P></BODY></HTML> Wed, 16 Mar 2011 21:05:25 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609834#M559754 Federico Coto Fajardo 2011-03-16T21:05:25Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609835#M559757 <HTML><HEAD></HEAD><BODY><P>my bad</P></BODY></HTML> Thu, 17 Mar 2011 02:40:47 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609835#M559757 lawsuites 2011-03-17T02:40:47Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609836#M559759 <HTML><HEAD></HEAD><BODY><P>Gurpreet,</P><P></P><P>You can only have a single IP address assign to an interface on an ASA.</P><P>If you have another interface, you can assign another IP address to it.</P><P></P><P>The ASA allows a configuration from a separate IP address on the outside when used for NAT.</P><P>For example:</P><P></P><P>You can use the range 2.2.2.0/24 to NAT internal traffic to the Internet and having the outside IP as part of 1.1.1.0/24</P><P>This can be done if the outside router has a route pointing to the ASA to reach 2.2.2.0/24</P><P></P><P>But, if the ASA has an IP on the outside, you cannot assign another IP to that interface (as you can do with routers and is called secondary IP addresses).</P><P><BR />Federico.</P></BODY></HTML> Thu, 17 Mar 2011 02:44:07 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609836#M559759 Federico Coto Fajardo 2011-03-17T02:44:07Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609837#M559761 <HTML><HEAD></HEAD><BODY><P>sorry</P></BODY></HTML> Thu, 17 Mar 2011 02:49:51 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609837#M559761 lawsuites 2011-03-17T02:49:51Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609838#M559763 <HTML><HEAD></HEAD><BODY><P>Please add a simple drawing that explains what you're trying to accomplish and I'm sure we can help you out.</P><P>Thanks,</P><P><BR />Federico.</P></BODY></HTML> Thu, 17 Mar 2011 04:05:10 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609838#M559763 Federico Coto Fajardo 2011-03-17T04:05:10Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609839#M559765 <HTML><HEAD></HEAD><BODY><P>Not sure how Gupreet inched in my thread...but all I want to do is we have one physical interface off of our 5510 to our ISP with one IP address assigned to it.&nbsp; I want to assign another IP address to that external interface (in the same subnet range for our ISP allocated range) so that we can run vulnerability scans to that IP address for special reasons.&nbsp; I don't want that additional external address to NAT anywhere inside other than that external interface of the ASA.&nbsp; I tried to assign another IP address and it looks like it will allow that but I'm not sure if doing that will break something else.</P></BODY></HTML> Thu, 17 Mar 2011 12:11:19 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609839#M559765 clippersbaseball 2011-03-17T12:11:19Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609840#M559766 <HTML><HEAD></HEAD><BODY><P>John,</P><P></P><P>The ASA won't support secondary IP addresses as mentioned before.</P><P>If the ASA has an IP address assigned to the outside interface, you cannot assign another IP to the same interface.</P><P>If you do... it will overwrite the current IP because the ASA will support a single IP on an interface only.</P><P></P><P>Can't you run the vulnerability scan to the IP that is currently assigned to the ASA?</P><P></P><P>Federico.</P></BODY></HTML> Thu, 17 Mar 2011 13:46:41 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609840#M559766 Federico Coto Fajardo 2011-03-17T13:46:41Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609841#M559767 <HTML><HEAD></HEAD><BODY><P>Thanks Federico...we're just getting a constant flase positive on our current public address and the vendor that is scannig suggested doing this just to get by.&nbsp; I've opened a TAC case and they verifed that the vulnerability was addressed in 1997.&nbsp; We're running 8.2.2 code and the vendor continues to get the "OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG" error.&nbsp; Again, TAC said that this was addressed a long time ago but the vendor scan keeps getting this message.&nbsp; The vendor said to create another IP address and have it point to nothing so the scan will run without errors.&nbsp; Should I NAT an internal address to anothe external address and have it NAT'd to an invalid internal host? </P></BODY></HTML> Thu, 17 Mar 2011 15:10:20 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609841#M559767 clippersbaseball 2011-03-17T15:10:20Z https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609842#M559769 <HTML><HEAD></HEAD><BODY><P>John,</P><P></P><P>Let's say the ASA has an outside IP 2.2.2.1 and an internal IP 1.1.1.1</P><P></P><P>You can create a static NAT for example:</P><P>static (in,out) 2.2.2.2 1.1.1.2</P><P></P><P>The above static will allow the ASA to receive traffic destined to 2.2.2.2 and forward it to 1.1.1.2</P><P></P><P>Keep in mind that 2.2.2.2 in the above example is mapped to the internal host 1.1.1.2, so you're really scanning the</P><P>internal host.</P><P>All the ASA will do is received the traffic and send it inside (if the traffic is permitted by the ACL).</P><P></P><P>Federico.</P></BODY></HTML> Thu, 17 Mar 2011 15:24:16 GMT https://community.cisco.com/t5/network-security/2nd-public-ip-address-on-5510-that-points-nowhere-internally/m-p/1609842#M559769 Federico Coto Fajardo 2011-03-17T15:24:16Z