Yes, add a second ip and later also a third ip to ASA outside interface!

Is there any advice from you that would be better? I have a "spare" interface on the ASA5510 and perhaps it would be better off with that and don´t "disturb" the standard traffic that inside users creates.

Regards,

Hi Fredrik,

You acnnot assign another IP on the same interface, you would definitely need another logical or physical interface, if you have any.

Thanks,

Varun

Do i need one real interface for each ip? Can i use VLAN as subinterface to outside interface and in that order succeed with my plan?

Regards,

Fredrik

Yes, you can very well do that. you can create logical interface as well. cBut be areful doing it, the moment you create a sub-interface on the current existing outside interafce, as the momnet you create sub-interface, the current physical interafce config would be lost.

Varun

An exception to this we have seen is for static nat.

If your only need is to static nat devices having public ip addresses not defined on your outside interface network, but provided for by your ISP, the ASA is smart enough to honor that traffic and it moves right on through to the internal device.

I've seen that work perfectly many times. The first time I saw it I thought it was an error, but it wasn't. It was work done by someone who knew more about it than I did at the time.

Can your ISP provide you a new block of public ip addresses? This way you can have multiple ip address available on a single outside interface on the ASA.

@Michael Kim: My ISP does not let me have an transfer network, that would have been great!

@Icaruso: Do you mean that if i create a nat rule with another outside ip specified without assigning it to an interface or vlan the asa will catch that and do as my rule wants? How would that syntax look like? Normally i would use

nat (inside,outside) static but how would my syntax look like when using ipadress instead of interface name?

regards,

Fredrik

Hi Fredrik,

What Icaruso is suggesting would also involve your ISP, they should route the internet traffic for that particular IP range to be sent to your ASA outisde interface. If  I understand his point correctly.

Thanks,

Varun

Ok i think i get it. How would the nat rule look like?

Regards,

Fredrik

You Syntax would be:

static (inside,outside)

Let me know if you have any questions.

Thanks,

Varun

Varun is right. That's exactly what I meant.You just use regular syntax and semantics.

That's why it looks like an error when you come across someone's configuration you've never worked on before, for here are these addresses being natted that have no business being seen on the outside interface.

Until you dig deeper and find out the ISP is actually routing those addresses to the ASA.

Hello again!

I´m still struggelin with this. I have noticed something that could be a lead. If i just do a ping from outside (another network) to the secondary IP that ends on .76 i get information in log that icmp is not allowed but if i try to use any service that i have created NAT for nothin is shown in the log and it doesn´t work. The nat is working if a have the default outside interface in my NAT statement...

Regards,

Fredrik