cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
483
Views
0
Helpful
1
Replies

ASA 5515-X Multiple inbound IPs using 1 interface

alyssenko
Level 1
Level 1

I have a /29 network provided by my ISP and I also have an internal /24 network. Outbound internet works OK. I would like to be able to receive inbound traffic (HTTPS) on X.X.X.211 on my main Outside interface (which has an IP address of X.X.X.210). I'm looking for secondary IP type functionality. I understand the ASA is not a router but certainly there must be a way to allow for inbound traffic on more than one external IP without having to use multiple 'outside' interfaces.

external network: X.X.X.208 /29

internal network: 192.168.2.0 /24

ISP endpoint:         X.X.X.209

my ASA endpoint:  X.X.X.210

inbound https:        X.X.X.211 (not working)

: Saved

:

ASA Version 9.1(1)

!

hostname SSIASA1

domain-name X

enable password 8b/6zhsslX6MGlCt encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif Inside

security-level 100

ip address 192.168.2.200 255.255.255.0

!

interface GigabitEthernet0/1

nameif Outside

security-level 0

ip address X.X.X.210 255.255.255.248

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 192.168.2.2

name-server 192.168.2.52

domain-name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network TMG

host 192.168.2.1

object network Public_IP_1

host X.X.X.211

description Cogent IP Block

object network Public_IP_2

host X.X.X.212

description Cogent IP Block

object network Public_IP_3

host X.X.X.213

description Cogent IP Block

object network Public_IP_4

host X.X.X.214

description Cogent IP Block

object network Internal_Network

subnet 192.168.2.0 255.255.255.0

object network SRVNJ04

host 192.168.2.4

object network WSNJ22

host 192.168.2.98

object network SSINGINX1

host 192.168.2.7

description NGINX1

object network Cogent_Outside

host X.X.X.209

description Cogent outside interface

object network Cogent_Inside

host X.X.X.210

object service https

service tcp source eq https destination eq https

description https

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

icmp-object source-quench

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object udp

service-object tcp

service-object tcp destination eq www

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object udp destination eq tftp

object-group network DM_INLINE_NETWORK_1

network-object 192.168.2.0 255.255.255.0

network-object X.X.X.208 255.255.255.248

object-group icmp-type DM_INLINE_ICMP_2

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object unreachable

object-group service DM_INLINE_SERVICE_3

service-object ip

service-object udp

service-object tcp

service-object tcp destination eq www

object-group service DM_INLINE_SERVICE_4

service-object ip

service-object udp

service-object tcp

service-object tcp destination eq www

access-list Inside_access_in remark allow specific traffic to Inside network

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list Inside_access_in remark allow ICMP to Inside network

access-list Inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

access-list Inside_access_in remark allow TFTP to SRVNJ04 (for CISCO ASA config backups) from Internal

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Internal_Network object SRVNJ04

access-list Inside_access_in remark allow https traffic to NGINX from inside/outside

access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SSINGINX1 eq https

access-list Outside_access_in remark allow specific traffic from Cogent to Outside network

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Cogent_Outside X.X.X.208 255.255.255.248

access-list Outside_access_in remark allow specific traffic from Inside to Outside

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 192.168.2.0 255.255.255.0 X.X.X.208 255.255.255.248

access-list Outside_access_in remark allow ICMP from inside to external IPs

access-list Outside_access_in extended permit icmp 192.168.2.0 255.255.255.0 X.X.X.208 255.255.255.248 object-group DM_INLINE_ICMP_2

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 10 burst-size 5

icmp permit any Inside

icmp deny any echo-reply Outside

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Inside,Outside) source dynamic any Public_IP_2 description internet access

nat (Outside,Inside) source static any interface destination static Public_IP_1 SSINGINX1 service https https net-to-net description https inbound

access-group Inside_access_in in interface Inside

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 X.X.X.209 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 444

http 192.168.10.0 255.255.255.0 management

http 192.168.2.98 255.255.255.255 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.2.98 255.255.255.255 Inside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username X password 9tQ.Tz4SMB4I.AdH encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp error

class class-default

  set connection decrement-ttl

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:7908a72c2aa2c00f0fb4686913351dca

: end

1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

Hey Arthur,

How are you??

Yeah there is a way using Proxy-ARP with NAT.

Your configuration is almost good.

Proposed changes:

object service https

no service tcp source eq https destination eq https

service tcp source eq https

no nat (Outside,Inside) source static any interface destination static Public_IP_1 SSINGINX1 service https https net-to-net description https inbound

nat (inside,outside) 1 source static SSINGINX1 Public_IP_1 service https https

That's it bud (you could use the outside, inside as well but I prefer the in,out for simplecity)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card