ASA - Multiple Public IPs on multiple ports

william.walker001 · ‎06-22-2016

I have a /28 network provided by my ISP. Internally, we have a phone system and two data networks that I'd like to distribute our public IPs to. Unfortunately, I see that it's not as simple as assigning an individual public IP to each hardware interface. So here's what I'd like to do....how do I do it:

e 0/0 - Public IP 71.0.0.1/28 physical connection to ISP

e 0/1 - Public IP 71.0.0.2/28 physical connection to Internal Phone System

e 0/2 - Public IP 71.0.0.3/28 physical connection to LAN2 (192.168.0.0/24)

e 0/5 - Internal LAN1 10.0.0.0/24 physical connection to LAN1 switches

johnd2310 · ‎06-22-2016

HI,

That will not work. You cannot assign ip addressees from the same network to different interfaces.

Can you explain what you are trying to achieve? Exposing phone systems to the public is not normally a good idea.

If you would like to use public ip address in your internal network, then the best option is to get a /30 from your ISP to use on the link between the ISP and your external device. Then use your /28 on your internal network.

Thanks

John

**Please rate posts you find helpful**

william.walker001 · ‎06-22-2016

Well, I honestly don't know what the phone system is doing. I've never handled it outside of ensuring the Ethernet line was plugged into the previous ISP coax modem. The phone system is something like a 1st gen IP capable phone system. It's basically just a digital system with ip extension dialing added to it. If the WAN connection goes down, the only thing effected is dialing an extension to reach another building, all calls are handled by POTS lines.

As far as what I'm trying to achieve, the new fiber connection that's been installed terminates with a single port switch and we have a /28 pack of static IPs. While I have an eight port gigabit switch that I could plug in between the ASA and the ISP demarc, I was hoping to keep device count down and utilize the additional ports of the ASA. There's not a way to segregate and direct traffic through VLANs or static routes?

I got my CCNA in 2013 so I'm, in the incredibly most basic sense, aware of how to get around the IOS and the more I've programmed the ASA (mostly through ASDM), the more its all started to come back, especially the ACL stuff....though NAT rules are still a bit of a headscratcher when reading it from the CLI.

Richard Bradfield · ‎06-23-2016

Hi William,

AS johnd said you would not give your Phone Vlan access to the internet

what you can do is bring Vlan 1 and 2 to the ASA so the ASA e0/2 will have a 192.168.0.xx address

and e0/5 will have an address of 10.0.0.xx

then on the ASA create an object for LAN 2

object network LAN2
subnet 192.168.0.0 255.255.255.0

Nat (inside,outside) static 71.0.0.4

repeat for other networks you want to give Inrenet access to

william.walker001 · ‎06-23-2016

Thanks for the follow up, ill try to decipher what you said (I'm very rusty with my Cisco skills). Like I said, that's how the phone system has been configured to run. I don't administer it so I don't know the internal workings of it. All I know is that it uses a public IP address to create a connection to another PBX type device at another building. I understand todays converged networks wouldn't be connected that way and it creates a security risk but this is an incredibly old system, I think I heard it was second hand donated in 2002 or something along those lines...it's barely IP capable and is controlled by a Windows 95 machine...another reason to segregate it on its own network.