Solved: Re: Adding Multiple Public IPs on a Single Interface on Cisco ASA Firewall - Page 2

AhmadZ · ‎02-21-2020

Hi,

i have vlans on my network that are natted to the outside to go on the internet, now i want to publish a server on the internet.

i have a public ip for the internet on a cisco ASA firewall interface, i want to add another public ip on the same interface, so that i can port forward to the server i want to publish through this new public ip?

is this possible? What are your suggestions please?

Thanks in advance!

@ASA @Firewall @cisco @public

AhmadZ · ‎02-25-2020

Thank you so much, i will try it later on, and then reply here and accept solution if it worked, thanks again!

AhmadZ · ‎02-25-2020

this wont affect the ip 1.1.1.1 on the interface 1?, because we are using the same interface which is fwoutinternet

Sheraz.Salim · ‎02-26-2020

it wont effect as RJ mentioned this already to you. make the change and test it. in order to test once you apple your configration.

packet-tracer input fwoutinternet tcp 8.8.8.8 12345 1.1.1.2 eq https

please do not forget to rate.

AhmadZ · ‎02-26-2020

ASA# packet-tracer input FwoutTerra tcp 8.8.8.8 1234 1.1.1.2 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network OWApublish
 nat (FwInside,FwoutTerra) static 1.1.1.2
Additional Information:
NAT divert to egress interface FwInside
Untranslate 1.1.1.2/443 to 172.16.12.7/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_IN in interface FwoutTerra
access-list OUTSIDE_IN extended permit tcp any host 172.16.12.7 eq https
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map class
 match any
policy-map map
 class class
  sfr fail-open
service-policy map global
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network OWApublish
 nat (FwInside,FwoutTerra) static 1.1.1.2
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 46591092, packet dispatched to next module

Result:
output-interface: FwInside
output-status: up
output-line-status: up
Action: allow

this is the output, seems everything is fine

Sheraz.Salim · ‎02-26-2020

yes it look good. you should be good now. you nat rules is working accordingly.

please do not forget to rate.

AhmadZ · ‎02-26-2020

but still i cant access https://1.1.1.2 from outside (on the internet)

Sheraz.Salim · ‎02-26-2020

can you ping to this server from firewall 172.16.12.7. you nat rules are good and they allowing the traffic. your server 172.16.12.7 allows https traffic?

@AhmadZ the nat rule you define is called static one to one nat. this mean its a bi-directional rule. mean from inside to outside traffic and go to outsdie and from outside to inside traffic can come in.

how you are access the 172.16.12.7 is htis connected directily to ASA or there is a layers3 device in between?

please do not forget to rate.

AhmadZ · ‎02-26-2020

yes there is ping from the firewall to 172.16.12.7, i think yes, but where can i check?

AhmadZ · ‎02-26-2020

not sure about this, but i think the asa is connected a switch and then this switch to a server in which it has the vm where the server i want to publish