Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1504
Views
0
Helpful
3
Replies

multiple IP addresses on WAN interface

rga-rga-rga
Level 1
Level 1

‎01-07-2011 10:09 AM - edited ‎03-04-2019 10:59 AM

We have Cisco ASA 5505 box.

We have a /29 subnet available.

At this moment one of IP addresses in this rage is assigned to VLAN2 used for outside interface.

My question is how to set up following:

  • all outgoing traffic from VLAN10 (for employees) will go out using one IP, xxx.xxx.xxx.1
  • all outgoing traffic from VLAN20 (for visitors) will go out using second IP, xxx.xxx.xxx.2
  • all outgoing traffic from VLAN10 host yyy.yyy.yyy.yyy (mail server, webmail, ...) will go out using third IP, xxx.xxx.xxx.3
  • all specified incomming traffic to xxx.xxx.xxx.3 will be NATted to internal host yyy.yyy.yyy.yyy in VLAN10

The main purpose is to have specific public IP address for mail server only not to get to any black list,

and to give visitors different outgoing IP address than for our internal users.

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-07-2011 12:45 PM

Hi,

You're looking for PBR (Policy-Based Routing).

Not supported on ASA.

I guess you can use the static NAT to manipulate the traffic, for example:

route outside1 0 0 1.1.1.1 10

route outside2 0 0 2.2.2.2 20

All traffic is going to be sent via outside1 because of the lower metric.

However if you add:

static (inside,outside2) tcp 0.0.0.0 smtp 0.0.0.0 smtp

Will cause all SMTP traffic to be sent via the outside2 interface (even when the default gateway points out the outside1 interface).


Federico.

0 Helpful

rga-rga-rga
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-08-2011 09:48 AM

outside1 and outside2 are same interface?

How can I set them up?
I need to let users to use SMTP and have outgoing address x.x.x.1

but to have outgoing address x.x.x.2 for mail server only.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rga-rga-rga

‎01-08-2011 09:55 AM

Let's say you have this:

Inside --- ASA --- Outside

Inside = VLAN 1

Outside = VLAN 2

I want to make 10.10.10.0/24 go through the ASA and use IP 1.1.1.1

I want to make 10.10.20.0/24 go through the ASA and use IP 2.2.2.2

I want to make 10.10.30.0/24 go through the ASA and use IP 3.3.3.3

The configuration would be like this:

access-list one permit ip 10.10.10.0 255.255.255.0 any

nat (inside) 1 access-list one

global (outside) 1 1.1.1.1

access-list two permit ip 10.10.20.0 255.255.255.0 any

nat (inside) 2 access-list two

global (outside) 2 2.2.2.2

access-list three permit ip 10.10.30.0 255.255.255.0 any

nat (inside) 3 access-list three

global (outside) 3 3.3.3.3

Even with only a single physical outside interface, the ASA can use different IPs to PAT different traffic based on the source IP.

The same can be done with TCP/UDP ports.

Federico.

0 Helpful
Customers Also Viewed These Support Documents