Hi,

As you are using ASA5515 you are probably running software version 8.6 (confirmable with command "show version")

If I understood you correctly you have a /29 network from the ISP and want to use 1 IP for the "outside" interface and the rest of them as Static NAT IP address for different LAN hosts?

Assuming that the following apply

• You have one LAN interface called "inside"
• You have WAN interface called "outside"
• Your LAN network is 10.10.10.0/24
• You want Static Public NAT for the following 4 LAN IPs  
  • 10.10.10.10
  • 10.10.10.11
  • 10.10.10.12
  • 10.10.10.13

Your configurations could look something like this

Default PAT for traffic heading to Internet

object-group network PAT-SOURCE

description PAT Source Networks

network-object 10.10.10.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

• The above configuration should make a default PAT rule for outgoing traffic. In other words any client on the LAN that doesnt have own NAT IP configured with Static NAT commands will use the "outside" interface public IP. If you would happen to configure another LAN network behind the ASA you could just add that LAN network under the configured object-group PAT-SOURCE and it would also start using "outside" interface for PAT translation.

Static NAT for servers

object network STATIC-1

host 10.10.10.10

nat (inside,outside) static x.x.x.74

object network STATIC-2

host 10.10.10.11

nat (inside,outside) static x.x.x.75

object network STATIC-3

host 10.10.10.12

nat (inside,outside) static x.x.x.76

object network STATIC-4

host 10.10.10.13

nat (inside,outside) static x.x.x.77

• The above configures Static NAT for 4 LAN hosts/clients
• Each Static NAT configuration includes  
  • object network ,under which all the configurations follow
  • host x.x.x.x , which defines the local source address for the Static NAT
  • nat (inside,outside) static x.x.x.x , which defines the source and destination interface for the Static NAT and the actual NAT IP address

Access-list rules from Internet

access-list OUTSIDE-IN permit ip any object STATIC-1

access-list OUTSIDE-IN permit tcp any object STATIC-1 eq

access-list OUTSIDE-IN permit udp any object STATIC-1 eq

or

access-list OUTSIDE-IN permit ip any host 10.10.10.10

access-list OUTSIDE-IN permit tcp any host 10.10.10.10 eq

access-list OUTSIDE-IN permit udp any host 10.10.10.10 eq

finally

access-group OUTSIDE-IN in interface outside

• Above are examples of configuring TCP/UDP, TCP or UDP rules to allow traffic with an ACL named OUTSIDE-IN
• access-group OUTSIDE-IN in interface outside, attaches the ACL to the outside interface. It handles the traffic heading "in" towards the interface.

Hope the above was of some help. Please rate helpfull posts

- Jouni

And just to clarify a bit,

You dont configure the addiotional public IP addresses to any interface. You only give the interface its IP address. Rest of the IP addresses only need the NAT commands, nothing else.

- Jouni

Hi Eugene,

Thanks a lot for your reply.

My goal here is simple.

I need to configure 5515 exactly the same way as Joebox (less known firewall), for my customer.

Somehow, Joebox has 5 continuous public IP addresses on the physical interface, and I need to configure 5515 the same way.

Those IPs are routed to inside resources through NATing.

Let me know if further information is needed.

Would there be any workaround for this?

Any suggestions would be much appreciated.

Young

Hi Young,

Thank you for clarification,

Your ISP will route traffic to your ASA. You do not need to  assign the new IP to any interface. You can create statics using the address space and it will work because of the ISP sending the route  down to you. Also you need to allow this connections using access-lists

Please rate helpfull posts