2nd public IP address on 5510 that points nowhere internally

clippersbaseball · ‎03-16-2011

Will I break anything if I create a second IP address on the physical external interface of our ASA 5510? I want to point it nowhere internally but want an active interface that can be vulnerability scanned but won't lead anywhere internally.

Federico Coto Fajardo · ‎03-16-2011

Hi,

Just to clarify the ASA won't support secondary IP addresses.

Is this what you mean?

Federico.

lawsuites · ‎03-16-2011

my bad

Federico Coto Fajardo · ‎03-16-2011

Gurpreet,

You can only have a single IP address assign to an interface on an ASA.

If you have another interface, you can assign another IP address to it.

The ASA allows a configuration from a separate IP address on the outside when used for NAT.

For example:

You can use the range 2.2.2.0/24 to NAT internal traffic to the Internet and having the outside IP as part of 1.1.1.0/24

This can be done if the outside router has a route pointing to the ASA to reach 2.2.2.0/24

But, if the ASA has an IP on the outside, you cannot assign another IP to that interface (as you can do with routers and is called secondary IP addresses).

Federico.

lawsuites · ‎03-16-2011

sorry

Federico Coto Fajardo · ‎03-16-2011

Please add a simple drawing that explains what you're trying to accomplish and I'm sure we can help you out.

Thanks,

Federico.

clippersbaseball · ‎03-17-2011

Not sure how Gupreet inched in my thread...but all I want to do is we have one physical interface off of our 5510 to our ISP with one IP address assigned to it. I want to assign another IP address to that external interface (in the same subnet range for our ISP allocated range) so that we can run vulnerability scans to that IP address for special reasons. I don't want that additional external address to NAT anywhere inside other than that external interface of the ASA. I tried to assign another IP address and it looks like it will allow that but I'm not sure if doing that will break something else.

Federico Coto Fajardo · ‎03-17-2011

John,

The ASA won't support secondary IP addresses as mentioned before.

If the ASA has an IP address assigned to the outside interface, you cannot assign another IP to the same interface.

If you do... it will overwrite the current IP because the ASA will support a single IP on an interface only.

Can't you run the vulnerability scan to the IP that is currently assigned to the ASA?

Federico.

clippersbaseball · ‎03-17-2011

Thanks Federico...we're just getting a constant flase positive on our current public address and the vendor that is scannig suggested doing this just to get by. I've opened a TAC case and they verifed that the vulnerability was addressed in 1997. We're running 8.2.2 code and the vendor continues to get the "OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG" error. Again, TAC said that this was addressed a long time ago but the vendor scan keeps getting this message. The vendor said to create another IP address and have it point to nothing so the scan will run without errors. Should I NAT an internal address to anothe external address and have it NAT'd to an invalid internal host?

Federico Coto Fajardo · ‎03-17-2011

John,

Let's say the ASA has an outside IP 2.2.2.1 and an internal IP 1.1.1.1

You can create a static NAT for example:

static (in,out) 2.2.2.2 1.1.1.2

The above static will allow the ASA to receive traffic destined to 2.2.2.2 and forward it to 1.1.1.2

Keep in mind that 2.2.2.2 in the above example is mapped to the internal host 1.1.1.2, so you're really scanning the

internal host.

All the ASA will do is received the traffic and send it inside (if the traffic is permitted by the ACL).

Federico.