07-10-2012 03:11 AM - edited 03-11-2019 04:28 PM
I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.
Can anyone explain how I do this?
Regards,
Mike
Solved! Go to Solution.
07-10-2012 06:07 AM
You don't really need to do anything funky, all you need to do is configure the NAT translation on the ASA firewall using the new public range IP, and on the ISP router, just have to make sure that you route this new public ip range to the ASA Public interface IP address.
07-10-2012 06:07 AM
You don't really need to do anything funky, all you need to do is configure the NAT translation on the ASA firewall using the new public range IP, and on the ISP router, just have to make sure that you route this new public ip range to the ASA Public interface IP address.
07-11-2012 01:53 PM
Jennifer,
Thanks for the quick reply.
You were pretty much correct, all I needed to do was create the appropriate NAT map between the Public IP & a DMZ server and also add a new RULE to allow the new public facing services to be available for internet users. This is just the same as setting up NAT'ing on the IP range configured on the Public ASA interface.
I didn't need to set-up any static arp's or create any routes (default route is already set out via the Public interface). Also no ISP speific set-up was required, so as
I haven't tried to set-up outbound NAT/PAT yet from the Private interface so I cannot say if that is just as easy.
07-11-2012 09:10 PM
Same deal with NAT/PAT, all you have to do is configure the NAT/PAT statement using that public IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide