Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
0
Helpful
2
Replies

Add Second Public IP Block

tsak
Level 1
Level 1

‎03-25-2019 03:00 PM

Hello,


I currently have an ASA Firewall under my office Network that is being configured. Our network has a public IP address: 46.198.141.94 with 46.198.141.93 as its gateway. Our ISP is also giving us a free /29 block ( 77.69.37.56/29 )  that we need to use under some of our printers to make them public for a remote location we have. We need to add those IPS directly under the network settings of those printers.

 

What is the best way to achieve that. Our ISP told me that we have to create a routing rule under our ASA Firewall and set the gateway for that new block to be the same as the above.

Any recommendations? Below is the run config of our ASA

Result of the command: "show run"

: Saved

: 
: Serial Number: JAD21510HCG
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(1) 
!
hostname fw01
domain-name xxx
enable password xxx
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 46.198.141.94 255.255.255.252 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 shutdown
 nameif inside_2
 security-level 100
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 nameif inside_3
 security-level 100
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 nameif inside_4
 security-level 100
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 nameif inside_5
 security-level 100
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 nameif inside_6
 security-level 100
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 nameif inside_7
 security-level 100
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
 domain-name gmishellas.local
same-security-traffic permit inter-interface
object network any-network
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network SRV01-192.168.1.199
 host 192.168.1.199
object service RDP
 service tcp destination eq 3389 
object service RDP-Service
 service tcp source eq 3389 
object network test
 host 0.0.0.0
object network FTP-192.168.1.199
 host 192.168.1.199
object network FW01-192.168.1.254
 host 192.168.1.254
object network TELNET-192.168.1.254
 host 192.168.1.254
object network TCP_5001-3CX
 host 192.168.1.253
object network UDP_5060-3CX
 host 192.168.1.253
object network TCP_5090-3CX
 host 192.168.1.253
object network 3CX-192.168.1.253
 host 192.168.1.253
object network Paradox_Gulf-192.168.1.252
 host 192.168.1.252
object network TCP_20001-Paradox_Gulf
 host 192.168.1.252
object network TCP_10001-Paradox_UMMSC
 host 192.168.1.251
object network Paradox_UMMSC-192.168.1.251
 host 192.168.1.251
object network TCP_10000-Paradox_UMMSC
 host 192.168.1.251
object network TCP_20000-Paradox_Gulf
 host 192.168.1.252
object network DVR_Gulf-192.168.1.250
 host 192.168.1.250
object network TCP_15000-DVR_Gulf
 host 192.168.1.250
object network 77.69.37.56
 subnet 77.69.37.56 255.255.255.248
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp destination eq 3389 
 service-object tcp destination eq ftp 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 5001
 port-object eq 5090
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 20000
 port-object eq 20001
object-group service DM_INLINE_TCP_3 tcp
 port-object eq 10000
 port-object eq 10001
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object SRV01-192.168.1.199 log disable 
access-list outside_access_in extended permit tcp any object DVR_Gulf-192.168.1.250 eq 15000 
access-list outside_access_in extended permit tcp any object Paradox_UMMSC-192.168.1.251 object-group DM_INLINE_TCP_3 
access-list outside_access_in extended permit tcp any object Paradox_Gulf-192.168.1.252 object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit tcp any object 3CX-192.168.1.253 object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network any-network
 nat (inside_1,outside) dynamic interface
object network SRV01-192.168.1.199
 nat (inside_1,outside) static interface service tcp 3389 3389 
object network FTP-192.168.1.199
 nat (inside_1,outside) static interface service tcp ftp ftp 
object network TCP_5001-3CX
 nat (inside_1,outside) static interface service tcp 5001 5001 
object network TCP_5090-3CX
 nat (inside_1,outside) static interface service tcp 5090 5090 
object network TCP_20001-Paradox_Gulf
 nat (inside_1,outside) static interface service tcp 20001 20001 
object network TCP_10001-Paradox_UMMSC
 nat (inside_1,outside) static interface service tcp 10001 10001 
object network TCP_10000-Paradox_UMMSC
 nat (inside_1,outside) static interface service tcp 10000 10000 
object network TCP_20000-Paradox_Gulf
 nat (inside_1,outside) static interface service tcp 20000 20000 
object network TCP_15000-DVR_Gulf
 nat (inside_1,outside) static interface service tcp 15000 15000 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 46.198.141.93 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:8235827385241f9b8233254e66c351ea
: end
Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎03-25-2019 04:05 PM

You need ask 2 Questions to ISP,

 

1. is this routed to extiing network.

2. did ISP asking you to setup this network and use as seperate route ?

 

If the ISP already routed  this range IP 77.69.37.56/29  your network, You need to make an Objects of these IP and do Static NAT to the Printers.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rob Ingram
VIP
VIP

‎03-25-2019 04:09 PM

Hi,
Assuming the ISP is routing the /29 network to your ASA's outside interface, you can either route the /29 network to the inside of the network by defining a static route on the ASA. Or you could define a static nat for each printer and permit the appropriate ports.

E.g:-
object network HOST-1
host 192.168.1.100
nat (INSIDE,OUTSIDE) static 77.69.37.57
access-list outside_access_in extended permit tcp any object HOST-1 eq 139

However I'd recommend setting up a VPN, allowing the internet access to your printers isn't a good idea!

HTH
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card