cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2524
Views
5
Helpful
4
Replies

Multiple public IP Addresses on ASA 5505

Vikrant Ambhore
Level 1
Level 1

Hi

Is it possible to configure multiple public IP Addresses (around-8) on Cisco ASA 5505, actuly we have total 3 servers behind the firewall and more 
application working on below mentioned ports actuly I want to translate traffic 80 to 8080(Private IP) as per below mentioned details


LAN IP:-
Node-1  -----192.168.1.5
Node-2  -----192.168.1.2
Node-3  -----192.168.1.3
Sample Public IP which you will configure on ASA:- XX.XX.XX.--

Node-1
192.168.1.5:80   <-------------------------------->  XX.XX.XX.1:80     
192.168.1.5:8080 <-------------------------------->  XX.XX.XX.2:80      ---------------------Here 80 port must be forward to 8080
192.168.1.5:8983 <-------------------------------->  XX.XX.XX.1:8983
192.168.1.5:7070 <-------------------------------->  XX.XX.XX.3:80        --------------------- Here 80 port must be forward to 7070
192.168.1.5:9983 <-------------------------------->  XX.XX.XX.3:9983
192.168.1.5:22   <-------------------------------->  XX.XX.XX.1:10222  --------------------- Here 10222 port must be forward to 22

Node-2
192.168.1.2:80   <-------------------------------->   XX.XX.XX.4:80
192.168.1.2:8080 <-------------------------------->   XX.XX.XX.5:80
192.168.1.2:85   <-------------------------------->   XX.XX.XX.5:85
192.168.1.2:3389 <-------------------------------->   XX.XX.XX.5:10389  --------------------- Here 10389 port must be forward to 3389

Node-3
192.168.1.3:80    <-------------------------------->   XX.XX.XX.6:80
192.168.1.3:8080  <-------------------------------->   XX.XX.XX.6:8080
192.168.1.3:9983  <-------------------------------->   XX.XX.XX.6:9983
192.168.1.3:8983  <-------------------------------->   XX.XX.XX.6:8983
192.168.1.3:22    <-------------------------------->   XX.XX.XX.6:10222 --------------------- Here 10222 port must be forward to 22
192.168.1.3:7070  <-------------------------------->   XX.XX.XX.7:80  --------------------- Here 80 port must be forward to 7070

4 Replies 4

Hi

Yes it's possible, it's very easy actually. The hard part is to get 3 public IP addresses.

Hi All,

Thanks to all Now working fine as per my requirements but im worried about security also having some issue behind the firewall, we are facing some Internet issue on Server whatever we start download on server its downloading always freeze  for long time. Looks like its network related issue or maybe related to DNS, would be a great if you can review  my below config and please suggest if any changes required. 

 

ASA Version 8.2(5)
!
hostname XX.XX.XX.XX
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX.XXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
 description uplink from switch
 speed 100
 duplex full
!
interface Ethernet0/1
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/3
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif outside
 security-level 0
 ip address XX.XX.XX.31 255.255.255.0
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group COLODNS
 name-server 127.0.0.1
 name-server 8.8.8.8
 name-server 192.168.1.1
 name-server 206.183.111.1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list global_access extended permit ip any any
access-list inside_access extended permit ip any any
access-list inside_access extended deny ip any any inactive
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq ssh
pager lines 24
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XX.XX.32 www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.33 www 192.168.1.5 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 www 192.168.1.5 7070 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.32 8983 192.168.1.5 8983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 9983 192.168.1.5 9983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.34 10222 192.168.1.5 ssh netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.36 www 192.168.1.2 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 85 192.168.1.2 85 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.35 10389 192.168.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 www 192.168.1.3 www netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 8080 192.168.1.3 8080 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 10222 192.168.1.3 ssh netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 9983 192.168.1.3 9983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.37 8983 192.168.1.3 8983 netmask 255.255.255.255
static (inside,outside) tcp XX.XX.XX.38 www 192.168.1.3 7070 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http XXX.XXX.111.25 255.255.255.255 outside
http XXX.XXX.111.235 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh scopy enable
ssh XXX.XXX.XXX.25 255.255.255.255 outside
ssh XXX.XXX.XXX.235 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password XXX encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e848ee77bf67de57b04768ff5785f4f3
: end

On the ASA, there are no multiple addresses on an interface. But your scenario is solved with NAT.

For each node/port-combination you configure an object and define the NAT-settings (which are a port-forwarding):

object network NODE1-80
 host 192.168.1.5
 nat (inside,outside) static XX.XX.XX.1 tcp 80 80
object network NODE1-8080
 host 192.168.1.5
 nat (inside,outside) static XX.XX.XX.2 tcp 8080 80
object network NODE1-8983
 host 192.168.1.5
 nat (inside,outside) static XX.XX.XX.1 tcp 8983 8983

 

And the traffic needs to be allowed on the outside interface:

object network NODE1 host 192.168.1.5
!
access-list list OUTSIDE-ACCESS-IN permit tcp any object NODE1 eq 80
access-list list OUTSIDE-ACCESS-IN permit tcp any object NODE1 eq 8080
access-list list OUTSIDE-ACCESS-IN permit tcp any object NODE1 eq 8983

 

That needs to be done for all ports and all nodes.

Thanks you!

Very clear!

Review Cisco Networking for a $25 gift card