cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4532
Views
0
Helpful
3
Replies

Second IP range on Public interface for NAT'ing

mbookham
Level 1
Level 1

I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.

I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.

Can anyone explain how I do this?

Regards,

Mike

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You don't really need to do anything funky, all you need to do is configure the NAT translation on the ASA firewall using the new public range IP, and on the ISP router, just have to make sure that you route this new public ip range to the ASA Public interface IP address.

View solution in original post

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

You don't really need to do anything funky, all you need to do is configure the NAT translation on the ASA firewall using the new public range IP, and on the ISP router, just have to make sure that you route this new public ip range to the ASA Public interface IP address.

Jennifer,

Thanks for the quick reply.

You were pretty much correct, all I needed to do was create the appropriate NAT map between the Public IP & a DMZ server and also add a new RULE to allow the new public facing services to be available for internet users. This is just the same as setting up NAT'ing on the IP range configured on the Public ASA interface.

I didn't need to set-up any static arp's or create any routes (default route is already set out via the Public interface). Also no ISP speific set-up was required, so as

I haven't tried to set-up outbound NAT/PAT yet from the Private interface so I cannot say if that is just as easy.

Same deal with NAT/PAT, all you have to do is configure the NAT/PAT statement using that public IP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: