Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
0
Helpful
4
Replies

ASA5505 - multiple public IP's

SorenStaunJorgensen
Level 1
Level 1

‎09-21-2011 02:49 AM - edited ‎03-04-2019 01:40 PM

Hi,

For a branch office we have an ASA5505 connected to the ISP with an DHCP provided public IP "locked" to the local MAC

This works ok!

Now - the ISP may provide up to 5 public IP's (all DHCP assigned).

Is it possible to configure 2-5 public interfaces in the ASA??

As IP's are DHCP assigned there must be something (a interface) to request the address.

Would this be possible, and if so - what license would be required??

NAT routing on the inside should be possible as well.

Thanks.... S

Labels:
0 Helpful
4 Replies 4

JohnTylerPearce
Level 7
Level 7

‎09-21-2011 06:56 AM

Well you can create sub-interfaces out of physical interfaces. So if you have gi0/0, you could create two sub-interfaces

gi0/0.1 and g0/0.2. I see the ISP may provide you will up to 5 public IP's (all DHCP assigned). Are these addresses

always going to be reserved for you or are they going to be regular DHCP? Also, what are the other public IP's

going to be used for?

0 Helpful

SorenStaunJorgensen
Level 1
Level 1
In response to JohnTylerPearce

‎09-21-2011 07:18 AM

Ok - how's sub interfaces created in ASA5505??

The IP's are assigned first time as regular DHCP assignments and afterward locked to the MAC address.

IP's are going to the used for different HTTP/HTTPS sites with different certs

So we'll port translate outside1:443 to inside1:443, outside2:443 to inside2:443

The solution is not ideal, but for the purpose in question sufficient :-)

0 Helpful

JohnTylerPearce
Level 7
Level 7
In response to SorenStaunJorgensen

‎09-21-2011 07:39 AM

Sounds like the additional IP's are just going to be used for NAT purposes with your sites. To create sub-interfaces yo

do the following

int x

no ip address

no nameif

no security-level

int y

ip address y.y.y.y y.y.y.y

nameif Y

security-level Y

vlan Y

int z

ip adress z.z.z.z z.z.z.z

nameif Z

security-level Z

vlan Z

Although, if you're using the additional IP's just for NAT, there is really no need to create sub-interfaces. But at least

you know how to      Another thing to remember is, if you create subinterfaces and you have the ASA connected to

a switch you will need to make that port a trunk port.

ASA <======> (Trunk on this end)Switch <========> X/Y hpsts

0 Helpful

IcebergTitanic
Level 1
Level 1

‎09-21-2011 04:51 PM

I think you can do it as described above, with subinterfaces, but there are some caveats...

1.  You'll have to name the interfaces, and you'll need more than base license to route between more than two named interfaces if I remember correctly.

2.  Because your external IP addresses will be DHCP'd to you, you'll only be able to nat to the interface addresses, and it might make some of your routing and access controls confusing...

0 Helpful
Customers Also Viewed These Support Documents