Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
5
Helpful
5
Replies

Cisco ASA 5550 | Multiple External IP's | DMZ Setup

Go to solution
Chris Whiteley
Level 1
Level 1

‎03-23-2017 09:15 AM - edited ‎03-12-2019 02:06 AM

Hey All,

I will try and give as much information as I possibly can so that you can understand what I am trying to do. This is pretty tricky and I want to make sure that I am doing it the best way that I can. 

I have setup a separate DMZ leg on my firewall on port GiEth0/1. I am connecting that to my Cisco 3750g with L2 only, VLAN 210 (to match DMZ IP address of 192.168.210.1/24) and have 2 ports connected to my 2 hosts that are part of my virtual environment. I have created a separate Virtual Switch that just has DMZ traffic on it. I wanted to separate this out completely. I then have 1 more port of my 3750g going directly to my firewall in port GiEth0/1. That VLAN does not reside anywhere else. 

On the firewall I have setup PAT for all of my inside network to get out and that is all working well. My Firewall company gave us a /29 which means we have 5 IP addresses. I am creating a blackboard type server to put on the DMZ network (192.168.210.1/24) and I want to give it access to one of the 5 IP addresses that is NOT the normal outside address. I cannot figure out how to do this at all. I know you need a NAT statement (static) that points to the static IP of one of the external IP's, but I cannot seem to figure out how to do this from the DMZ. I want to do something like:

host 192.168.210.15
name blackboard
nat (dmz,outside) static 172.10.10.3

It won't allow me to do this. What am I missing here?

On the Cisco ASA 5550:
Software Version: 917-9-k8.bin

Interface GigabitEthernet 0/0
description Inside Network
nameif inside
security-level 100
ip address 10.20.13.2 255.255.255.0

interface GigabitEthernet 0/1
description DMZ
nameif DMZ
security-level 50
ip address 192.168.210.1 255.255.255.0

interface GigabitEthernet 1/0
description Fiber Connection
nameif Outside
security-level 0
ip address (fictitious) 172.10.10.1 255.255.255.248

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Chris Whiteley

‎03-23-2017 11:40 AM

Yes, you configure an access-list where you allow the needed traffic and apply this ACL to the outside interface:

access-list OUTSIDE-IN permit tcp any object blackboard eq 80
access-group OUTSIDE-IN in interface Outside

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎03-23-2017 10:49 AM

You have to configure your NAT inside of an object:

object network blackboard
 host 192.168.210.15
 nat (dmz,Outside) static 172.10.10.3

And make sure that your dynamic NAT-rules are located behind this rule. 

Go to solution
Chris Whiteley
Level 1
Level 1
In response to Karsten Iwen

‎03-23-2017 11:29 AM

Thank you so much! This helped the first part. I have tried this before and it never worked, but now it did...kind of weird.

Another question I had was that I wanted to allow only http traffic into the blackboard server. Would I set this up on the access rules? I think I know that, but wanted to verify. Thank you!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Chris Whiteley

‎03-23-2017 11:40 AM

Yes, you configure an access-list where you allow the needed traffic and apply this ACL to the outside interface:

access-list OUTSIDE-IN permit tcp any object blackboard eq 80
access-group OUTSIDE-IN in interface Outside
0 Helpful

Go to solution
Chris Whiteley
Level 1
Level 1
In response to Karsten Iwen

‎03-23-2017 11:50 AM

Thank you so much! Very helpful!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Chris Whiteley

‎03-23-2017 11:58 AM

And as the next step talk to your boss to replace the 5550 against a shiny new 5555-X with FirePower as the legacy 5550 will be EOL soon ... ;-)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card