Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
0
Helpful
4
Replies

Adding public IPs

Go to solution
Delmiro Campelo
Level 1
Level 1

‎03-03-2013 06:56 AM - edited ‎03-11-2019 06:08 PM

we have a /24 range of public IP addresses assigned to us by our ISP, what would be the process of assigning multiple public addresses on the outside interface on cisco asa running os version is 9.1 ? we have an outside, inside, and dmz interface. what command/s would acommplish this? server hosting services to the world are on the dmz, so traffic would need to be natted also.

Thanks for your help.

Delmiro

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Delmiro Campelo

‎03-03-2013 02:05 PM

Hi,

The simple Static NAT configuration for an internal host would be

object network STATIC

host 10.10.10.3

nat (dmz,outside) static 1.1.1.3 dns

Where

  • STATIC = Is the name of the "object network". Can be anything you like. Try to come up with a good naming policy to serve your needs
  • host 10.10.10.3 = This defines the IP address under the "network object". In this case since we configure Static NAT under the "object network" too it naturally defines the real IP address for the Static NAT
  • (dmz,outside) = Defines the interfaces between which the Static NAT is done
  • 1.1.1.3 = Is the public IP address used for the Static NAT

The above is naturally considering you want to use private IP addresses for the internal hosts and just use the public IP addresses as NAT addresses.

The other option that I suggested was to configure the DMZ hosts with the public IP addresses straight. But that naturally requires both you and your ISP to configure the setup in a different way

Basically

  • ASA to ISP would be 1.1.1.0/25
  • ASA "dmz" would be 1.1.1.128/26
  • ASA "outside" Static NAT range would be 1.1.1.192/26

In other words the ASA to ISP link would use half of the /24 network (/25)  for NAT Pool / PAT / purposes. DMZ would hold /26 block and another /26 block would be reserved for Static NAT use (other interfaces than DMZ).

From a routing perspective the ISP would naturally configure the 1.1.1.0/25 on the link towards ASA. The ISP would also route the 1.1.1.128/25 towards your ASA (or route 1.1.1.128/26 and 1.1.1.192/26 towards ASA)

You can go with any setup that suites you best.

Please rate the replys if you have found the information helpfull

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-03-2013 07:29 AM

Hi,

All this depends on how you are planning on using this /24 public network.

  • Is this whole network going to be used between your ASA and the ISP gateway?
  • Do you want to perhaps split the /24 to smaller segment? 
    • Keeping part of the segment between the ASA and ISP AND dedicating part of it to the DMZ directly so servers are configured with public IP addresses and have no need for NAT on the ASA. (Especially usefull when LAN hosts need connectivity to the servers also and you want to use the same public IP address that the Internet users get with DNS querys)

To give you some examples of the configurations

NAT Pool + PAT Overload (Using separate IP)

  • Using a NAT Pool and separate IP address as the PAT overload address

object-group network SOURCE-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

object network PAT-ADDRESS

host 1.1.1.126

object network NAT-POOL

range 1.1.1.2 1.1.1.125

object-group network NAT-POOL+PAT

network-object object NAT-POOL

network-object object PAT-ADDRESS

nat (any,outside) after-auto source dynamic SOURCE-NETWORKS NAT-POOL+PAT

NAT Pool + PAT Overload (using "outside" IP)

  • Using a NAT Pool and "outside" interface IP address as the PAT overload address

object-group network SOURCE-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

object network NAT-POOL

range 1.1.1.2 1.1.1.126

nat (any,outside) after-auto source dynamic SOURCE-NETWORKS NAT-POOL interface


In the above scenarios

  • 10.10.10.0/24 = Example LAN network
  • 192.168.10.0/24 = Example DMZ network
  • 1.1.1.0/24 = Example public network
  • SOURCE-NETWORKS = An "object-group" that groups the 2 above mentioned networks into one group for easier NAT configuration.
  • NAT-POOL = An "object network" that contains the range of IP addresses used for the NAT Pool configuration. Can be any range you want naturally
  • nat = Is the actual NAT configuration line
  • (any,outside) = Makes it possible to use "any" source interface for the NAT (In this case both "inside" and "dmz" can use this configuration line)
  • after-auto = Moves this NAT configuration to the last section (Section 3) of the NAT rules so it doesnt override some other NAT configurations you might be doing
  • SOURCE-NETWORKS = Uses our previously configured "object-group" to define the source address for which NAT is done.
  • NAT-POOL = Uses our previously configured "object network" to define the NAT Pool
  • PAT-ADDRESS = Defines the PAT IP address IF we dont use the configuration using the "interface" parameter
  • NAT-POOL+PAT = Is an "object-group" that groups the NAT Pool and PAT address to a single "object-group" for the actual NAT configuration
  • interface = Defines that the "outside" interface IP address is used as a PAT overload IP address when the NAT Pool runs out

In the above examples we only use half of the /24 public network for the NAT Pool + PAT address. Rest of the IP addresses could for example be used as Static NAT address for either "inside" and/or "dmz" interface hosts.

As I mentioned you naturally have the option that you configure a /25 network between your ASA and your ISP

interface GigabitEthernet0/0

description WAN

nameif outside

security-level 0

ip add 1.1.1.1 255.255.255.128

And the ISP will route the 1.1.1.128/25 towards your "outside" interface IP address

You could then for example use part of that network directly at "dmz" interface and the rest as Static NAT addresses on the "outside" of your ASA

  • DMZ = 1.1.1.128/26
  • Static NAT = 1.1.1.192/26

interface GigabitEthernet0/2

description DMZ

nameif dmz

security-level 50

ip add 1.1.1.129 255.255.255.192


Not sure if I wrote the information above clearly enough. If the information was helpfull please rate If it answered your question mark the question as answered. Naturally if you have more questions and want to clarify something, please ask more.

- Jouni

0 Helpful

Go to solution
Delmiro Campelo
Level 1
Level 1
In response to Jouni Forss

‎03-03-2013 01:53 PM

Thank you JounioForss for this great explanation, I apprecicate your help on this.We would want to split the /24 to be used for some hosts on the dmz, most of the time we just assign private ip addresses on dmz. Let me ask, where exactly are we assigning the public L3 address on ASA if we do this public-private translation? or do we just need to specify it on network object - host statement ? so that when the ASA sees a packet with a destination of 1.1.1.3 would know that it needs to do something with it.

Let's say I need to enable this host to talk to the world on port 80.

Public Network range: 1.1.1.0/24 (public) ISP given to us

Host Public IP: 1.1.1.3

Host Private IP: 10.10.10.3 (dmz)

Once again thanks for explaing this

Delmiro

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Delmiro Campelo

‎03-03-2013 02:05 PM

Hi,

The simple Static NAT configuration for an internal host would be

object network STATIC

host 10.10.10.3

nat (dmz,outside) static 1.1.1.3 dns

Where

  • STATIC = Is the name of the "object network". Can be anything you like. Try to come up with a good naming policy to serve your needs
  • host 10.10.10.3 = This defines the IP address under the "network object". In this case since we configure Static NAT under the "object network" too it naturally defines the real IP address for the Static NAT
  • (dmz,outside) = Defines the interfaces between which the Static NAT is done
  • 1.1.1.3 = Is the public IP address used for the Static NAT

The above is naturally considering you want to use private IP addresses for the internal hosts and just use the public IP addresses as NAT addresses.

The other option that I suggested was to configure the DMZ hosts with the public IP addresses straight. But that naturally requires both you and your ISP to configure the setup in a different way

Basically

  • ASA to ISP would be 1.1.1.0/25
  • ASA "dmz" would be 1.1.1.128/26
  • ASA "outside" Static NAT range would be 1.1.1.192/26

In other words the ASA to ISP link would use half of the /24 network (/25)  for NAT Pool / PAT / purposes. DMZ would hold /26 block and another /26 block would be reserved for Static NAT use (other interfaces than DMZ).

From a routing perspective the ISP would naturally configure the 1.1.1.0/25 on the link towards ASA. The ISP would also route the 1.1.1.128/25 towards your ASA (or route 1.1.1.128/26 and 1.1.1.192/26 towards ASA)

You can go with any setup that suites you best.

Please rate the replys if you have found the information helpfull

- Jouni

0 Helpful

Go to solution
Delmiro Campelo
Level 1
Level 1

‎03-03-2013 03:05 PM

it makes perfect sense now, this is very helpful, thank you JouniForss

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card