cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1645
Views
5
Helpful
5
Replies

Cisco ASA 5550 | Multiple External IP's | DMZ Setup

Chris Whiteley
Level 1
Level 1

Hey All,

I will try and give as much information as I possibly can so that you can understand what I am trying to do. This is pretty tricky and I want to make sure that I am doing it the best way that I can. 

I have setup a separate DMZ leg on my firewall on port GiEth0/1. I am connecting that to my Cisco 3750g with L2 only, VLAN 210 (to match DMZ IP address of 192.168.210.1/24) and have 2 ports connected to my 2 hosts that are part of my virtual environment. I have created a separate Virtual Switch that just has DMZ traffic on it. I wanted to separate this out completely. I then have 1 more port of my 3750g going directly to my firewall in port GiEth0/1. That VLAN does not reside anywhere else. 

On the firewall I have setup PAT for all of my inside network to get out and that is all working well. My Firewall company gave us a /29 which means we have 5 IP addresses. I am creating a blackboard type server to put on the DMZ network (192.168.210.1/24) and I want to give it access to one of the 5 IP addresses that is NOT the normal outside address. I cannot figure out how to do this at all. I know you need a NAT statement (static) that points to the static IP of one of the external IP's, but I cannot seem to figure out how to do this from the DMZ. I want to do something like:

host 192.168.210.15
name blackboard
nat (dmz,outside) static 172.10.10.3

It won't allow me to do this. What am I missing here?

On the Cisco ASA 5550:
Software Version: 917-9-k8.bin

Interface GigabitEthernet 0/0
description Inside Network
nameif inside
security-level 100
ip address 10.20.13.2 255.255.255.0

interface GigabitEthernet 0/1
description DMZ
nameif DMZ
security-level 50
ip address 192.168.210.1 255.255.255.0

interface GigabitEthernet 1/0
description Fiber Connection
nameif Outside
security-level 0
ip address (fictitious) 172.10.10.1 255.255.255.248

1 Accepted Solution

Accepted Solutions

Yes, you configure an access-list where you allow the needed traffic and apply this ACL to the outside interface:

access-list OUTSIDE-IN permit tcp any object blackboard eq 80
access-group OUTSIDE-IN in interface Outside

View solution in original post

5 Replies 5

You have to configure your NAT inside of an object:

object network blackboard
 host 192.168.210.15
 nat (dmz,Outside) static 172.10.10.3

And make sure that your dynamic NAT-rules are located behind this rule. 

Thank you so much! This helped the first part. I have tried this before and it never worked, but now it did...kind of weird.

Another question I had was that I wanted to allow only http traffic into the blackboard server. Would I set this up on the access rules? I think I know that, but wanted to verify. Thank you!

Yes, you configure an access-list where you allow the needed traffic and apply this ACL to the outside interface:

access-list OUTSIDE-IN permit tcp any object blackboard eq 80
access-group OUTSIDE-IN in interface Outside

Thank you so much! Very helpful!

And as the next step talk to your boss to replace the 5550 against a shiny new 5555-X with FirePower as the legacy 5550 will be EOL soon ... ;-)

Review Cisco Networking for a $25 gift card