04-08-2013 09:52 AM - edited 03-04-2019 07:31 PM
Hello,
My ASA 5510 is configured with a single PUBLICIP1 on the outside interface. All internal hosts 192.168.0.x are behind the ASA firewall and NATed to PUBLICIP1 including a few site-to-site VPN tunnels. This is also true for DMZ. Now, I would like to add a second PUBLICIP2 to the ASA and map it to one internal host ONLY - For eg: 192.168.0.25. How can I do this without effecting the existing setup? Since my entire internal subnet 192.168.0.0/24 is NATed to an existing PUBLICIP1 how can I exclude just one host (192.168.0.25) and bond it to the PUBLICIP2 for all ports.
This is what my current OUTSIDE interface looks like.
interface Ethernet0/0
duplex full
nameif OUTSIDE
security-level 0
ip address PUBLICIP1 255.255.255.224
!
Thanks in advance.
04-10-2013 06:05 AM
Anyone?
04-10-2013 07:51 AM
Kumar,
Can you please post your configuration? Depending on how your configuration looks, you may be able to setup a static NAT for the one IP you wish to have a different address.
Thanks and Cheers!
Kimberly
Please remember to rate helpful posts.
04-10-2013 11:14 AM
Kimberly,
Thanks for your response. Unfortunately, I can't post my full running configuration here. Is there anything specific that you can guide me to look for that I might be able to share here?
04-10-2013 11:45 AM
Kumar,
If you have a single inside host that needs to be a different public IP address you can do something like this:
static (Inside,outside) [PUBLICIP2] 192.168.0.25 netmask 255.255.255.255
Then setup some access lists for what it will need to do and public DNS, and then it will be on a different IP.
Thanks and Cheers!
Kimberly
Please remember to rate helpful posts.
04-10-2013 12:26 PM
Please note that, when using static rules, they ignore the access-list applied on the Outside interface.
So having
static (Inside,outside) [PUBLICIP2] 192.168.0.25 netmask 255.255.255.255
Would instantly map everything that goes to PUBLICIP2 to 192.168.0.25, no matter whats in the access-list.
I would suggest defining new global rule and having nat inside that host mapping to that global rule.
Something like:
global (outside) 2 [PUBLICIP2]
nat (inside) 2 192.168.0.25 255.255.255.255
Maybe you will just need to alter your existing NAT/GLOBAL number to a higher value than the new one, cus im not sure if thats not working as a sequence number also.
Then if you need to specifiy ports visible from the Internet, you can do that by static rule, but just for the services you need.
If you are running the new version of the ASA (8.3) with the new NAT commands.. oh well.. let me know so I can work it out..
04-11-2013 08:12 AM
Kimberly and Velimir - Thank you both for your reply. I tried setting it up as Kimberly suggested but it still doesn't work. It probably has to do with couple of warning messages that I get. We have a few l2l vpn and for couple of them we do full subnet (192.168.0.0/24) Static NATing to a seperate single private IP for each site. Because, my host 192.168.0.25 also falls under that NAT for l2l I get a conflict warning (not error) when I issue the following command
static (Inside,outside) [PUBLICIP2] 192.168.0.25 netmask 255.255.255.255
To avoid this I thought I could add an ACE to "exclude" the host 192.168.0.25 from the existing l2l VPN NAT. So I added the line
access-list NAT1 extended deny ip host 192.168.0.25 object-group OBJECTGROUP1
before this line
access-list NAT1 extended permit ip 192.168.0.0 255.255.255.0 object-group OBJECTGROUP1
and I still got no luck with it. I am not sure if I am in the right path to exclude a single host from an existing Static NAT. Any help?
04-11-2013 09:51 AM
Can you export your nat related comands?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide