Solved: Multiple IP-addresses basic license

Trond Husoe · ‎07-06-2015

I might not have chosen the correct community, but anyway:

I have four static ip-addresses and I have ASA 5505 with a basic license. How do I tell that outside a.b.c.100 shall be directed to x.x.x.10 inside? (if that is what I want of course)

Marvin Rhoads · ‎07-07-2015

Your NAT rules look OK.

You also need to create an access-list for the allowed services and apply it via the access-group command to the outside interface.

After you do that you can always check your logic with packet-tracer. e.g.:

packet-tracer input outside tcp 8.8.8.8 1025 1.1.1.2 80

(for your DMZ webserver here). If you've missed something. packet-tracer will give you a good idea what is missing.

Note that it appears you have upwards of 20 hosts on the inside and at least 3 in the DMZ. That would exceed the base license limitation of 10.

View solution in original post

Marvin Rhoads · ‎07-06-2015

The syntax varies according to your ASA software version.

Generally speaking you create an object and associate a nat rule with it.

Then (if you also require initiation of traffic flows from the untrusted or less trusted networks) you create an access-list and bind it to the untrusted (public) interface to allow the incoming traffic.

Something like this (using a web server on tcp 80 and an outside interface named "outside") for example on ASA 8.3 or later:

object network my_server_NAT
 host a.b.c.100

object network my_server_REAL
 host x.x.x.10
 nat (inside,outside) static my_server_NAT

access-list outside_access_in extended permit tcp any4 object my_server_REAL eq 80

access-group outside_access_in in interface outside

Trond Husoe · ‎07-07-2015

Dear Marvin,

Thanks for the reply.

I am still sensing that I have to upgrade my license as I have currently used dmz, inside and outside. And so I have a feeling that I have to have access to more ports in order to use more ip-addresses.

or am I wrong?

Marvin Rhoads · ‎07-07-2015

As long as your number of inside hosts does not exceed 10 and your number of VLANs does not exceed 3, the base license will suffice.

The details on the Base vs. Security Plus license for the ASA 5505 are listed here.

Trond Husoe · ‎07-07-2015

Dear Marvin,

Thanks for your valuable feedback.

What I am trying to achieve is this:

I have public IP "1.1.1.1"-"1.1.1.5".

Outside is set to 1.1.1.1

I have the following zones:

inside (machines has 192.168.5.1-20)

outside (1.1.1.1)

dmz (machines has 192.168.0.1-4) (for example)

in the dmz I'd like to have a:

development webserver (let's call that 192.168.0.50) where I also need ftp and a few other services running (and being able to access these)

a development/production ftp-backup-server (let's just call that server 192.168.0.51) for some remote users to put files which I don't want to have on a production web-server.

a git-server (192.168.0.52) for putting source code in a remote repository

In some places I have read that this is what I am supposed to do:

object network dmz-webserver

host 192.168.0.50

nat (dmz,outside) static 1.1.1.2

object network dmz-ftpserver

host 192.168.0.51

nat (dmz,outside) static 1.1.1.3

object network dmz-gitserver

host 192.168.0.52

nat (dmz,outside) static 1.1.1.4

But when I do that, I still cannot access any of these servers remote. So something isn't that correct.

Or am I not doing this correctly?

Marvin Rhoads · ‎07-07-2015

Your NAT rules look OK.

You also need to create an access-list for the allowed services and apply it via the access-group command to the outside interface.

After you do that you can always check your logic with packet-tracer. e.g.:

packet-tracer input outside tcp 8.8.8.8 1025 1.1.1.2 80

(for your DMZ webserver here). If you've missed something. packet-tracer will give you a good idea what is missing.

Note that it appears you have upwards of 20 hosts on the inside and at least 3 in the DMZ. That would exceed the base license limitation of 10.