cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
978
Views
0
Helpful
6
Replies

Public IP assigned to host question

bobbysitro
Level 1
Level 1

My company currently is using a /30 network, 1 public assigned to an ISP  and 1 Public IP assigned to an ASA.  They also use a VPN which the peer  address is the public ip assigned to the outside interface of the ASA.  One of our clients is requesting to access our servers but our servers  must have assigned public IP not private. I have another /27 IP range  givent to me from our ISP and am wondering how I can assign a server a  public IP?

1 Accepted Solution

Accepted Solutions

The ISP's router, which is your ASA's default gateway, will need a static route pointing the /27 out the interface that faces the ASA's outside interface. Your ASA needs to have static NAT entries using the newly assigned /27. When the ISP's router receives a packet directed to one of the IP addresses that you used on your static NATs, the router will send an ARP request out the customer facing interface. The ASA in turn, since it has static NATs, will reply to those ARP requests with the MAC address of its outside interface. The Intenet router will build the frame using that MAC address as the destination MAC; the frame will be delivered to the ASA's outside interface, and then the ASA will continue its process internally.

View solution in original post

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

Bobby

The more common way to solve this is to use an address from the other block and to configure static address translation so that the request coming in from outside will use the public address from the block and the ASA will translate it to the private address that the server uses inside your network.

HTH

Rick

HTH

Rick

so basically what you are saying is use the /27 as our interface to the ISP from the ASA. and then use the remaining IP's as static nats to hosts?

Bobby

You do not necessarily need to change the interface address. The ASA can use addresses for address translation that are not in the subnet of the interface address.

If you want to change the interface address you certainly can do that. But it is not required.

HTH

Rick

HTH

Rick

Ah okay, so the reason I am doing this is because when we VPN to our clients they want to make sure our private address isnt clashing with their private address. so they want to use a public address for each server. So when I do this NAT it will ensure that there is not clash?

The ISP's router, which is your ASA's default gateway, will need a static route pointing the /27 out the interface that faces the ASA's outside interface. Your ASA needs to have static NAT entries using the newly assigned /27. When the ISP's router receives a packet directed to one of the IP addresses that you used on your static NATs, the router will send an ARP request out the customer facing interface. The ASA in turn, since it has static NATs, will reply to those ARP requests with the MAC address of its outside interface. The Intenet router will build the frame using that MAC address as the destination MAC; the frame will be delivered to the ASA's outside interface, and then the ASA will continue its process internally.

excellent, thank you so much.

Review Cisco Networking for a $25 gift card