cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18294
Views
5
Helpful
15
Replies

(ASA 5510) How do assign multiple public IP addresses to outside interface?

jansalisbury
Level 1
Level 1

Hi,

I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first?  Please bare in mind I'm doing the config via ASDM.

PS. everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.

Any help much appreciated as I really need to get this sorted by Sunday night!

Jan

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

ASA 5505 is slighly different to ASA 5510. ASA 5505 has switchport, while ASA 5510 has all routed ports, hence there is no need for VLAN assignment, unless you are creating a trunk port with sub interfaces.

In regards to static NAT, which version of ASA are you running?

For ASA version 8.2 and earlier (assuming that you name your inside interface: inside, and outside interface: outside):

static (inside,outside) 123.123.123.125 192.168.0.3 netmask 255.255.255.255

For ASA version 8.3 and above:

object network obj-192.168.0.3

     host 192.168.0.3

     nat (inside,outside) static 123.123.123.125

Also, with your inbound ACL, the behaviour also changes from ASA 8.2 and earlier compared to ASA 8.3 and above.

For ASA 8.3 and above, you would need to configure ACL with the destination of the real IP (192.168.0.3), not the NATed IP (123.123.123.125).

For ASA 8.2 and below, it is normally ACL with destination of NATed IP (123.123.123.125) for inbound ACL on the outside interface.

Hope that helps.

View solution in original post

15 Replies 15

Jennifer Halim
Cisco Employee
Cisco Employee

ASA 5505 is slighly different to ASA 5510. ASA 5505 has switchport, while ASA 5510 has all routed ports, hence there is no need for VLAN assignment, unless you are creating a trunk port with sub interfaces.

In regards to static NAT, which version of ASA are you running?

For ASA version 8.2 and earlier (assuming that you name your inside interface: inside, and outside interface: outside):

static (inside,outside) 123.123.123.125 192.168.0.3 netmask 255.255.255.255

For ASA version 8.3 and above:

object network obj-192.168.0.3

     host 192.168.0.3

     nat (inside,outside) static 123.123.123.125

Also, with your inbound ACL, the behaviour also changes from ASA 8.2 and earlier compared to ASA 8.3 and above.

For ASA 8.3 and above, you would need to configure ACL with the destination of the real IP (192.168.0.3), not the NATed IP (123.123.123.125).

For ASA 8.2 and below, it is normally ACL with destination of NATed IP (123.123.123.125) for inbound ACL on the outside interface.

Hope that helps.

Hi Jennifer, Thanks for your quick reply. Yes it is version 8.3. What you say about the inbound ACL makes sense. I'm not able to connect to the ASA until tomorrow, but i'll update you when I've made the changes. Thanks again.

Thanks again for your quick reply and accurate resolution. The problem was indeed with the ACLs.

Great to hear. Thanks for the update and ratings.

Hi,

Im trying to do pretty much the same and it is not working for me.

I have one IP on the outside interface 10.42.56.14

i have another IP 10.42.56.14 i would like to use to access a server from the outside.

Im trying this with RDP. when i set this up for  .14 there is no problem and i can remote from the outside to the server on the inside. however when i do exectly the same for .13 it does not work.

Do i have to bind the additional IP to the outside inter face in any other way before the steps you describe?

/Hilmar

No, all you need is to configure the static NAT statement.

What is the subnet mask for the outside interface? and what is the default route? plus I assume that .13 is part of the same subnet as .14?

Have you configured ACL on the outside interface to allow access?

The subnet mask for the outside interface is 255.255.255.248

.13 and .14 are in the same subnet.

Default route:   route WAN1 0.0.0.0 0.0.0.0 88.131.56.9 20    (.9 is the default ISP gateway)

There is an ACL in place that looks exactly like it does when i test using .14 and it works like that

access-list WAN1 extended permit ip any object obj-10.42.10.32

Any ideas?

/Hilmar

Try to "clear xlate" and "clear arp" on the ASA, then test again.

If it doesn't work, pls check if there is any hitcount on the ACL that you applied on the outside interface:

show access-list

i have done both

"clear xlate" and "clear arp and It changes nothing.

access-list WAN1 line 2 extended permit ip any host 10.42.10.32 (hitcnt=101) 0x2876eae1

the strange thing is that even if i try a few times to remote in the hitcount does not change.

would it help to get the running config? if so can i email it?

/H

definitely, running config will help a lot.

But if there is no hitcount (or the hitcount didn't increase) that means, it's not even reaching the ASA.

.13 was once used on another firewall we are using (not anymore). Is it possible that the arp table of the ISP router still has that firewall in  its ARP table?

I have sent you the Running-config.

Update:

access-list WAN1 line 2 extended permit ip any host 10.42.10.32 (hitcnt=102) 0x2876eae1

it increased from 101 to 102

/H

Yes, definitely possible that the ARP entry is still on the ISP router.

I also assume that the old firewall is already unplugged from the network?

Can you reload the ISP router?

The other firewall is still in use. I have removed the IP from it but i talked to the ISP and they refreshed the ARP table and .13 still gets the MAC address of the old firewall.

I assume i need to do something else than just take .13 from the old firewall, maby refresh the cache?

I will test and come back with the result.

/H

Yes, looks like the other firewall still proxyarp for that ip address.

Review Cisco Networking for a $25 gift card