ASA 5510 Server Static IP

fatcatpro · ‎12-03-2015

Hello,

Here is what I am trying to acomplish and all of my searches are turning up empty which usually means I have my head wrapped around it the wrong way.

Here is what I am envisioning:
We currently have a ASA 5510, port 0 is connected to our ISP with something like 11 static IPs.

Port 1 is connected to the inside with a NAT so everyones office computers reach the internet.

There are a handful of port forwards in place for different external IPs for FTP servers and what-not that I believe are in their own VLAN.

I need to add a server and I would like to add it to port 2 of the ASA and give the physical server one of the 11 static public IPs as though it was a VPS that I rented from Amazon or wherever. Then ideally I would then be able to block off all of the ports in the ASA except the one's I want to use.

I don't need to be able to access it from the internal network.

Where am I going wrong? What am I misunderstanding? What is this called? What keywords do I need to be searching?

Shivapramod M · ‎12-03-2015

Hi,

Here is my understanding about issue please correct me if I am incorrect.

You have two interface eth0 and eth1 say inside and outside. You have internet connected to outside. Now you are configuring another interface which is eth2 and connecting a server. So lets say this interface as DMZ. I belive you need to access the server from outside using a dedicated ip but the users who are in the inside which is eth0 should not be able to access it.

If this is your requirement then you can configure a static nat between outside and dmz mapping one of the IP from your ISP ip block to internal server. Then you can configure the Access list and permit only the ports/services which is required.

If your ASA version is 8.2 or below then the static NAT configuration is

static (dmz,outside) <mapped IP> <Real IP> netmask 255.255.255.255

If your ASA version is 8.3 or above then the static NAT configuration is

object network obj-10.1.1.16
host <real IP>
nat (dmz,outside) static <mapped IP>

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

fatcatpro · ‎12-04-2015

That is essencially what I am hoping to do. It is unimortant wether inside devices on eth1 can reach eth2 or not.

With what you described I assume that my server needs to have an internal address such as 10.0.0.150

What I want to do is give the server interface the public IP address. Say my ISP gave me public IP adresses 63.64.65.10-21

I want the server to have the IP address 63.64.65.18. Is this possible?

Akshay Rastogi · ‎12-04-2015

Hi,

I suppose that your outside interface is configured in the same subnet (63.64.65.x). In that it would not be possible. Same subnet could not be present on two different interface on ASA. Also it could not be assigned to any hosts behind two different interface as there would be asymetric route issue.

As Shiva has mentioned, you could give one internal ip to the server and map the same through nat statement and restrict the traffic with the help of access-list on outside interface.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate helpful post.