cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1638
Views
0
Helpful
8
Replies

Adding New Public IP Block

DarrenMcCall
Level 1
Level 1

My web server is out of public IPs.  I requested more from my ISP and I got a different range with a different gateway.  How do I handle the configuration on my Cisco ASA?


Without any configuration changes to the firewall I saw the traffic hitting it and being blocked.  I added an access rule to allow the traffic.  I added a virtual interface on the ASA.  I added a virtual interface on the web server.  Using "Packet Tracer" the traffic flows from the outside interface to the new virtual interface.  But I'm unable to access my web server and I don't see any traffic on that IP reaching the web server.

Using Cisco ASA 5510.

Please ask any questions and I will add more information as needed.

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Darren,

What version are you running,

What is the private ip of the server ( use a fake if required), then share the relevant configuration ( Nat, interface and ACL's using the fake Ips as mentioned before)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ASDM 6.2.

Here are my options for NAT Rules:

I added the dmz.3 interface.

Private IP is set as a virtual interface to the same as the public IP.  This is the way our other existing, and working, block is configured.

Here are the Access Rules I setup to allow the traffic.

dmz-network is our original block that is working.

dmz.3-network is the new block that doesn't work.

Access Rules.png

Here are the interfaces:

Hello Darren,

I need the ASA version!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ASA version was in the original post: ASA 5510.

Can you do

show run nat

show run access-list

That will make it easier for us

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Result of the command: "show run nat"

nat (inside) 0 access-list inside_nat0_outbound

nat (dmz) 0 access-list dmz_nat0_outbound

Unfortuantly I can't copy and paste the show run access-list there is so much there. I will try to clean it up and post soon.

But the traffic is allowed in the Access List for "dmz3", just like "dmz".

dmz is working, dmz3 is not.

Hello Darren,

Please check your inbox

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card