Solved: Adding Multiple Public IPs on a Single Interface on Cisco ASA Firewall

AhmadZ · ‎02-21-2020

Hi,

i have vlans on my network that are natted to the outside to go on the internet, now i want to publish a server on the internet.

i have a public ip for the internet on a cisco ASA firewall interface, i want to add another public ip on the same interface, so that i can port forward to the server i want to publish through this new public ip?

is this possible? What are your suggestions please?

Thanks in advance!

@ASA @Firewall @cisco @public

Sheraz.Salim · ‎02-25-2020

yes this is correct config.

you can test this.

packet-tracer input Fwoutinternet tcp 4.4.4.4 1223 1.1.1.2 eq 443

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎02-26-2020

it wont effect as RJ mentioned this already to you. make the change and test it. in order to test once you apple your configration.

packet-tracer input fwoutinternet tcp 8.8.8.8 12345 1.1.1.2 eq https

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎02-26-2020

yes it look good. you should be good now. you nat rules is working accordingly.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎02-26-2020

can you ping to this server from firewall 172.16.12.7. you nat rules are good and they allowing the traffic. your server 172.16.12.7 allows https traffic?

@AhmadZ the nat rule you define is called static one to one nat. this mean its a bi-directional rule. mean from inside to outside traffic and go to outsdie and from outside to inside traffic can come in.

how you are access the 172.16.12.7 is htis connected directily to ASA or there is a layers3 device in between?

please do not forget to rate.

View solution in original post

Rob Ingram · ‎02-21-2020

Hi,

You cannot assign a 2nd IP address to an interface, but you can use NAT.

object network SRV1
 host 192.168.1.20
 nat (inside,outside) static 1.1.1.2
access-list OUTSIDE_IN permit tcp any host 192.168.1.20 eq 443
access-group OUTSIDE_IN in interface OUTSIDE

As long as your ISP is routing the new IP address (e.g. 1.1.1.2) to the ASA, this should work fine.

HTH

AhmadZ · ‎02-21-2020

so for example if i am using 1.1.1.1 for internet, i can use this 1.1.1.2 for the port forwarding into my server? and these are on the same interface?

Rob Ingram · ‎02-21-2020

Yes, you could use that secondary address just for the port forwarding.
Yes, this NAT would be configured on the outside interface, as per the example I provided above.
Just amend the IP addresses, port and ACL to fit your requirements.

HTH

AhmadZ · ‎02-21-2020

oh ok, thank you so much, i will try it and then will reply if it worked, thanks!

AhmadZ · ‎02-25-2020

i have an interface on the ASA that i want to assign the public ip i want to publish the server through, is this methodology correct, i will apply the public ip to this interface, and then i will use the same configuration you told me to use, will this work? for example, this is the configuration:

interface GigabitEthernet1/1
security-level 100
ip address 1.1.1.1 255.255.255.0

exit
object network serverpublish
host 192.168.2.1
nat (inside,outside) static 1.1.1.1
access-list OUTSIDE_IN permit tcp any host 192.168.2.1 eq 443
access-group OUTSIDE_IN in interface OUTSIDE

is this good?

Rob Ingram · ‎02-25-2020

Is GigabitEthernet1/1 meant to be the outside interface? It's security-level should be 0 not 100 and also needs a "nameif".

If you already have another outside interface defined, then you just need to define the object and the nat entry....as long as the upstream ISP router knows to route to the ASA.

If you are still unclear, provide your full configuration and the nat ip address you wish to use.

AhmadZ · ‎02-25-2020

i have an interface in which it has the public ip used to give internet, and all vlans are coming out of this interface so all has internet, now i want to use another interface in which i give another public ip, so that users outside on the internet can access the server inside that i want to publish, so i want to port forward users outside to such server

Rob Ingram · ‎02-25-2020

So if you already have 1 "outside" interface, then you just need to define a nat.

object network serverpublish
host 192.168.2.1
nat (inside,outside) static 1.1.1.x
access-list OUTSIDE_IN permit tcp any host 192.168.2.1 eq 443
access-group OUTSIDE_IN in interface OUTSIDE

You may need to amend the nat rule above if your inside interface is not called "inside" and your outside interface is not called "outside".

AhmadZ · ‎02-25-2020

this will be the full configuration:

interface GigabitEthernet1/2
nameif Fwoutinternet
security-level 0
ip address 1.1.1.1 255.255.255.248
interface GigabitEthernet1/3
nameif Fwtoserver
security-level 100
ip address 1.1.1.2 255.255.255.248
exit
object network serverpublish
host 192.168.2.1
nat (inside,outside) static 1.1.1.2
access-list OUTSIDE_IN permit tcp any host 192.168.2.1 eq 443
access-group OUTSIDE_IN in interface OUTSIDE

Sheraz.Salim · ‎02-25-2020

yes this is correct config.

you can test this.

packet-tracer input Fwoutinternet tcp 4.4.4.4 1223 1.1.1.2 eq 443

please do not forget to rate.

AhmadZ · ‎02-25-2020

so this will allow me to port forward users outside on the internet to use the server inside my network, right?

Rob Ingram · ‎02-25-2020

You cannot have 2 interfaces in the same subnet, 1.1.1.1 and 1.1.1.2 are in the same network.
You don't need to define an IP address on the physical interface Gi1/3. You just need the NAT.

You will need to change the nat rule as "outside" appears to be "Fwoutinternet"

AhmadZ · ‎02-25-2020

object network serverpublish
host 192.168.2.1
nat (inside,Fwoutinternet) static 1.1.1.2
access-list OUTSIDE_IN permit tcp any host 192.168.2.1 eq 443
access-group OUTSIDE_IN in interface OUTSIDE

So only this will port forward users outside the internet to my server?

Rob Ingram · ‎02-25-2020

Correct. If a user connects to https://1.1.1.2 from the internet then this will port forward to https://192.168.2.1

You need to amend your access-group:-

access-group OUTSIDE_IN in interface Fwoutinternet