Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
5
Helpful
5
Replies

Multple Public IP's to Mutiple inside IP's.

Go to solution
john.irizarry
Level 1
Level 1

‎09-25-2009 08:25 PM - edited ‎03-11-2019 09:19 AM

Hello,

I have a situation where I am replacing a SonicWall FW with an ASA 5510. I have a several Public IP's assigned to several systems in the DMZ.

For example, the outside interface address is 66.100.0.2

I have OWA (443) on 66.100.0.3 > 10.10.20.3

Sharepoint (443) on 66.100.0.4 > 10.10.20.4

Company WebSite (80) 66.100.0.5 > 10.10.20.5

Public IP's are just examples

Not sure how the SonicWall did it, but we are able to get to all our resources as described above.

Is it possible for the ASA to handle this?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to kumar

‎09-26-2009 05:04 AM

State NAT:

static (DMZ,outside) 66.100.0.3 10.10.20.3

static (DMZ,outside) 66.100.0.4 10.10.20.4

static (DMZ,outside) 66.100.0.5 10.10.20.5

or

Static PAT:

static (DMZ,outside) tcp 66.100.0.3 443 10.10.20.3 443 net 255.255.255.255

static (DMZ,outside) tcp 66.100.0.4 443 10.10.20.4 443 net 255.255.255.255

static (DMZ,outside) 66.100.0.5 80 10.10.20.5 80 net 255.255.255.255

You also have to allow permission in the acl applied on the outside interface to allow tcp 443 and tcp 80 to these public IP addresses from any source on the internet.

example:

access-list outside-acl permit tcp any host 66.100.0.3 eq 443

access-list outside-acl permit tcp any host 66.100.0.4 eq 443

access-list outside-acl permit tcp any host 66.100.0.5 eq 80

access-g outside-acl in int outside

View solution in original post

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to phlitservices

‎09-27-2009 08:25 AM

John,

Your ISP provided you the public addresses. It is their responsibility to bring the traffic destined to the ASA's outside address as well as other addresses that we added in the static commands to the outside interface of the ASA. Once the traffic arrives on the ASA the ASA will take care of sending the traffic to the appropriate servers on the DMZ.

Piece of cake !!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
kumar
Level 1
Level 1

‎09-25-2009 11:42 PM

hi, that is possible in ASA

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to kumar

‎09-26-2009 05:04 AM

State NAT:

static (DMZ,outside) 66.100.0.3 10.10.20.3

static (DMZ,outside) 66.100.0.4 10.10.20.4

static (DMZ,outside) 66.100.0.5 10.10.20.5

or

Static PAT:

static (DMZ,outside) tcp 66.100.0.3 443 10.10.20.3 443 net 255.255.255.255

static (DMZ,outside) tcp 66.100.0.4 443 10.10.20.4 443 net 255.255.255.255

static (DMZ,outside) 66.100.0.5 80 10.10.20.5 80 net 255.255.255.255

You also have to allow permission in the acl applied on the outside interface to allow tcp 443 and tcp 80 to these public IP addresses from any source on the internet.

example:

access-list outside-acl permit tcp any host 66.100.0.3 eq 443

access-list outside-acl permit tcp any host 66.100.0.4 eq 443

access-list outside-acl permit tcp any host 66.100.0.5 eq 80

access-g outside-acl in int outside

0 Helpful

Go to solution
john.irizarry
Level 1
Level 1
In response to Kureli Sankar

‎09-26-2009 06:41 AM

Wow, is it really that easy? How does the traffic even know to get to the ASA from these other public IP's if the outside interface of the ASA is a different Public IP?

Outside is 66.10.0.2

So if I'm a user somewhere and I make a request to 66.10.0.5, how does it know to go to 66.10.0.2 to get there?

Thanks for the help!

0 Helpful

Go to solution
phlitservices
Level 1
Level 1
In response to john.irizarry

‎09-26-2009 09:34 PM

It's all in the IP Block you got from your ISP. e.g say they give u block 66.39.100.0/29 then u got 6 usable public IPs, 66.39.100.1 - 66.39.100.6, in theory. So all internet traffic destined to any of those 6 IPs will be routed to your location... i.e. https://mail.company.com could reslove to 66.39.100.1 or http://www.company.com could be 66.39.100.2 and 66.39.100.3 could be the outside IP of your ASA etc...... This could also be setup slightly different but i'm sure you got the point.

The ACL actually opens the port for traffic to enter into the ASA from the outside interface as the ASA doesn't allow traffic from a lower security interface (outside) to reach a higher security interface (DMZ, Inside etc) by default...

NAT/PAT statements on the ASA are always confusing to me :) the always seem to be in the wrong order. In simple terms static NAT translates the real address (10.10.10.2) to a mapped address that is routable e.g 66.39.100.2. PAT is slightly different...

These will help understand static nat/pat and ACLs...

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Donavan

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to phlitservices

‎09-27-2009 08:25 AM

John,

Your ISP provided you the public addresses. It is their responsibility to bring the traffic destined to the ASA's outside address as well as other addresses that we added in the static commands to the outside interface of the ASA. Once the traffic arrives on the ASA the ASA will take care of sending the traffic to the appropriate servers on the DMZ.

Piece of cake !!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card