
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 06:56 AM - edited 03-11-2019 06:08 PM
we have a /24 range of public IP addresses assigned to us by our ISP, what would be the process of assigning multiple public addresses on the outside interface on cisco asa running os version is 9.1 ? we have an outside, inside, and dmz interface. what command/s would acommplish this? server hosting services to the world are on the dmz, so traffic would need to be natted also.
Thanks for your help.
Delmiro
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 02:05 PM
Hi,
The simple Static NAT configuration for an internal host would be
object network STATIC
host 10.10.10.3
nat (dmz,outside) static 1.1.1.3 dns
Where
- STATIC = Is the name of the "object network". Can be anything you like. Try to come up with a good naming policy to serve your needs
- host 10.10.10.3 = This defines the IP address under the "network object". In this case since we configure Static NAT under the "object network" too it naturally defines the real IP address for the Static NAT
- (dmz,outside) = Defines the interfaces between which the Static NAT is done
- 1.1.1.3 = Is the public IP address used for the Static NAT
The above is naturally considering you want to use private IP addresses for the internal hosts and just use the public IP addresses as NAT addresses.
The other option that I suggested was to configure the DMZ hosts with the public IP addresses straight. But that naturally requires both you and your ISP to configure the setup in a different way
Basically
- ASA to ISP would be 1.1.1.0/25
- ASA "dmz" would be 1.1.1.128/26
- ASA "outside" Static NAT range would be 1.1.1.192/26
In other words the ASA to ISP link would use half of the /24 network (/25) for NAT Pool / PAT / purposes. DMZ would hold /26 block and another /26 block would be reserved for Static NAT use (other interfaces than DMZ).
From a routing perspective the ISP would naturally configure the 1.1.1.0/25 on the link towards ASA. The ISP would also route the 1.1.1.128/25 towards your ASA (or route 1.1.1.128/26 and 1.1.1.192/26 towards ASA)
You can go with any setup that suites you best.
Please rate the replys if you have found the information helpfull
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 07:29 AM
Hi,
All this depends on how you are planning on using this /24 public network.
- Is this whole network going to be used between your ASA and the ISP gateway?
- Do you want to perhaps split the /24 to smaller segment?
- Keeping part of the segment between the ASA and ISP AND dedicating part of it to the DMZ directly so servers are configured with public IP addresses and have no need for NAT on the ASA. (Especially usefull when LAN hosts need connectivity to the servers also and you want to use the same public IP address that the Internet users get with DNS querys)
To give you some examples of the configurations
NAT Pool + PAT Overload (Using separate IP)
- Using a NAT Pool and separate IP address as the PAT overload address
object-group network SOURCE-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
object network PAT-ADDRESS
host 1.1.1.126
object network NAT-POOL
range 1.1.1.2 1.1.1.125
object-group network NAT-POOL+PAT
network-object object NAT-POOL
network-object object PAT-ADDRESS
nat (any,outside) after-auto source dynamic SOURCE-NETWORKS NAT-POOL+PAT
NAT Pool + PAT Overload (using "outside" IP)
- Using a NAT Pool and "outside" interface IP address as the PAT overload address
object-group network SOURCE-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
object network NAT-POOL
range 1.1.1.2 1.1.1.126
nat (any,outside) after-auto source dynamic SOURCE-NETWORKS NAT-POOL interface
In the above scenarios
- 10.10.10.0/24 = Example LAN network
- 192.168.10.0/24 = Example DMZ network
- 1.1.1.0/24 = Example public network
- SOURCE-NETWORKS = An "object-group" that groups the 2 above mentioned networks into one group for easier NAT configuration.
- NAT-POOL = An "object network" that contains the range of IP addresses used for the NAT Pool configuration. Can be any range you want naturally
- nat = Is the actual NAT configuration line
- (any,outside) = Makes it possible to use "any" source interface for the NAT (In this case both "inside" and "dmz" can use this configuration line)
- after-auto = Moves this NAT configuration to the last section (Section 3) of the NAT rules so it doesnt override some other NAT configurations you might be doing
- SOURCE-NETWORKS = Uses our previously configured "object-group" to define the source address for which NAT is done.
- NAT-POOL = Uses our previously configured "object network" to define the NAT Pool
- PAT-ADDRESS = Defines the PAT IP address IF we dont use the configuration using the "interface" parameter
- NAT-POOL+PAT = Is an "object-group" that groups the NAT Pool and PAT address to a single "object-group" for the actual NAT configuration
- interface = Defines that the "outside" interface IP address is used as a PAT overload IP address when the NAT Pool runs out
In the above examples we only use half of the /24 public network for the NAT Pool + PAT address. Rest of the IP addresses could for example be used as Static NAT address for either "inside" and/or "dmz" interface hosts.
As I mentioned you naturally have the option that you configure a /25 network between your ASA and your ISP
interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip add 1.1.1.1 255.255.255.128
And the ISP will route the 1.1.1.128/25 towards your "outside" interface IP address
You could then for example use part of that network directly at "dmz" interface and the rest as Static NAT addresses on the "outside" of your ASA
- DMZ = 1.1.1.128/26
- Static NAT = 1.1.1.192/26
interface GigabitEthernet0/2
description DMZ
nameif dmz
security-level 50
ip add 1.1.1.129 255.255.255.192
Not sure if I wrote the information above clearly enough. If the information was helpfull please rate If it answered your question mark the question as answered. Naturally if you have more questions and want to clarify something, please ask more.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 01:53 PM
Thank you JounioForss for this great explanation, I apprecicate your help on this.We would want to split the /24 to be used for some hosts on the dmz, most of the time we just assign private ip addresses on dmz. Let me ask, where exactly are we assigning the public L3 address on ASA if we do this public-private translation? or do we just need to specify it on network object - host statement ? so that when the ASA sees a packet with a destination of 1.1.1.3 would know that it needs to do something with it.
Let's say I need to enable this host to talk to the world on port 80.
Public Network range: 1.1.1.0/24 (public) ISP given to us
Host Public IP: 1.1.1.3
Host Private IP: 10.10.10.3 (dmz)
Once again thanks for explaing this
Delmiro
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 02:05 PM
Hi,
The simple Static NAT configuration for an internal host would be
object network STATIC
host 10.10.10.3
nat (dmz,outside) static 1.1.1.3 dns
Where
- STATIC = Is the name of the "object network". Can be anything you like. Try to come up with a good naming policy to serve your needs
- host 10.10.10.3 = This defines the IP address under the "network object". In this case since we configure Static NAT under the "object network" too it naturally defines the real IP address for the Static NAT
- (dmz,outside) = Defines the interfaces between which the Static NAT is done
- 1.1.1.3 = Is the public IP address used for the Static NAT
The above is naturally considering you want to use private IP addresses for the internal hosts and just use the public IP addresses as NAT addresses.
The other option that I suggested was to configure the DMZ hosts with the public IP addresses straight. But that naturally requires both you and your ISP to configure the setup in a different way
Basically
- ASA to ISP would be 1.1.1.0/25
- ASA "dmz" would be 1.1.1.128/26
- ASA "outside" Static NAT range would be 1.1.1.192/26
In other words the ASA to ISP link would use half of the /24 network (/25) for NAT Pool / PAT / purposes. DMZ would hold /26 block and another /26 block would be reserved for Static NAT use (other interfaces than DMZ).
From a routing perspective the ISP would naturally configure the 1.1.1.0/25 on the link towards ASA. The ISP would also route the 1.1.1.128/25 towards your ASA (or route 1.1.1.128/26 and 1.1.1.192/26 towards ASA)
You can go with any setup that suites you best.
Please rate the replys if you have found the information helpfull
- Jouni

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 03:05 PM
it makes perfect sense now, this is very helpful, thank you JouniForss
