10-14-2011 01:59 AM - edited 03-11-2019 02:37 PM
Hi!
How do i tell my firewall to start listen also on another outside ipadress assigned by my ISP? I have it used on other firewall right now. So my steps would be shutting down ip address assignment off old firewall interface. Assign that ip address to ASA5510 outside interface and configure NAT.
Regards
10-14-2011 02:06 AM
So does that mean, you would add a second IP on the ASA outside interface ??? Or do you want to configure another interface with the old public ip on your firewall???
Varun
10-14-2011 02:12 AM
Yes, add a second ip and later also a third ip to ASA outside interface!
Is there any advice from you that would be better? I have a "spare" interface on the ASA5510 and perhaps it would be better off with that and don´t "disturb" the standard traffic that inside users creates.
Regards,
10-14-2011 02:19 AM
Hi Fredrik,
You acnnot assign another IP on the same interface, you would definitely need another logical or physical interface, if you have any.
Thanks,
Varun
10-14-2011 02:36 AM
Do i need one real interface for each ip? Can i use VLAN as subinterface to outside interface and in that order succeed with my plan?
Regards,
Fredrik
10-14-2011 03:02 AM
Yes, you can very well do that. you can create logical interface as well. cBut be areful doing it, the moment you create a sub-interface on the current existing outside interafce, as the momnet you create sub-interface, the current physical interafce config would be lost.
Varun
10-14-2011 02:04 PM
An exception to this we have seen is for static nat.
If your only need is to static nat devices having public ip addresses not defined on your outside interface network, but provided for by your ISP, the ASA is smart enough to honor that traffic and it moves right on through to the internal device.
I've seen that work perfectly many times. The first time I saw it I thought it was an error, but it wasn't. It was work done by someone who knew more about it than I did at the time.
10-16-2011 07:36 PM
Can your ISP provide you a new block of public ip addresses? This way you can have multiple ip address available on a single outside interface on the ASA.
10-17-2011 12:25 AM
@Michael Kim: My ISP does not let me have an transfer network, that would have been great!
@Icaruso: Do you mean that if i create a nat rule with another outside ip specified without assigning it to an interface or vlan the asa will catch that and do as my rule wants? How would that syntax look like? Normally i would use
nat (inside,outside) static but how would my syntax look like when using ipadress instead of interface name?
regards,
Fredrik
10-17-2011 12:39 AM
Hi Fredrik,
What Icaruso is suggesting would also involve your ISP, they should route the internet traffic for that particular IP range to be sent to your ASA outisde interface. If I understand his point correctly.
Thanks,
Varun
10-17-2011 12:55 AM
Ok i think i get it. How would the nat rule look like?
Regards,
Fredrik
10-17-2011 01:01 AM
You Syntax would be:
static (inside,outside)
Let me know if you have any questions.
Thanks,
Varun
10-17-2011 05:51 AM
Varun is right. That's exactly what I meant.You just use regular syntax and semantics.
That's why it looks like an error when you come across someone's configuration you've never worked on before, for here are these addresses being natted that have no business being seen on the outside interface.
Until you dig deeper and find out the ISP is actually routing those addresses to the ASA.
03-23-2012 03:33 AM
Hello again!
I´m still struggelin with this. I have noticed something that could be a lead. If i just do a ping from outside (another network) to the secondary IP that ends on .76 i get information in log that icmp is not allowed but if i try to use any service that i have created NAT for nothin is shown in the log and it doesn´t work. The nat is working if a have the default outside interface in my NAT statement...
Regards,
Fredrik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide