Second Public IP on ASA 5510

kumarsundaram · ‎04-08-2013

Hello,

My ASA 5510 is configured with a single PUBLICIP1 on the outside interface. All internal hosts 192.168.0.x are behind the ASA firewall and NATed to PUBLICIP1 including a few site-to-site VPN tunnels. This is also true for DMZ. Now, I would like to add a second PUBLICIP2 to the ASA and map it to one internal host ONLY - For eg: 192.168.0.25. How can I do this without effecting the existing setup? Since my entire internal subnet 192.168.0.0/24 is NATed to an existing PUBLICIP1 how can I exclude just one host (192.168.0.25) and bond it to the PUBLICIP2 for all ports.

This is what my current OUTSIDE interface looks like.

interface Ethernet0/0

duplex full

nameif OUTSIDE

security-level 0

ip address PUBLICIP1 255.255.255.224

!

Thanks in advance.

kumarsundaram · ‎04-10-2013

Anyone?

Kimberly Adams · ‎04-10-2013

Kumar,

Can you please post your configuration? Depending on how your configuration looks, you may be able to setup a static NAT for the one IP you wish to have a different address.

Thanks and Cheers!

Kimberly

Please remember to rate helpful posts.

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

kumarsundaram · ‎04-10-2013

Kimberly,

Thanks for your response. Unfortunately, I can't post my full running configuration here. Is there anything specific that you can guide me to look for that I might be able to share here?

Kimberly Adams · ‎04-10-2013

Kumar,

If you have a single inside host that needs to be a different public IP address you can do something like this:

static (Inside,outside) [PUBLICIP2] 192.168.0.25 netmask 255.255.255.255

Then setup some access lists for what it will need to do and public DNS, and then it will be on a different IP.

Thanks and Cheers!

Kimberly

Please remember to rate helpful posts.

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Velimir Filipov · ‎04-10-2013

Please note that, when using static rules, they ignore the access-list applied on the Outside interface.

So having

static (Inside,outside) [PUBLICIP2] 192.168.0.25 netmask 255.255.255.255

Would instantly map everything that goes to PUBLICIP2 to 192.168.0.25, no matter whats in the access-list.

I would suggest defining new global rule and having nat inside that host mapping to that global rule.

Something like:

global (outside) 2 [PUBLICIP2]

nat (inside) 2 192.168.0.25 255.255.255.255

Maybe you will just need to alter your existing NAT/GLOBAL number to a higher value than the new one, cus im not sure if thats not working as a sequence number also.

Then if you need to specifiy ports visible from the Internet, you can do that by static rule, but just for the services you need.

If you are running the new version of the ASA (8.3) with the new NAT commands.. oh well.. let me know so I can work it out..

kumarsundaram · ‎04-11-2013

Kimberly and Velimir - Thank you both for your reply. I tried setting it up as Kimberly suggested but it still doesn't work. It probably has to do with couple of warning messages that I get. We have a few l2l vpn and for couple of them we do full subnet (192.168.0.0/24) Static NATing to a seperate single private IP for each site. Because, my host 192.168.0.25 also falls under that NAT for l2l I get a conflict warning (not error) when I issue the following command

static (Inside,outside) [PUBLICIP2] 192.168.0.25 netmask 255.255.255.255

To avoid this I thought I could add an ACE to "exclude" the host 192.168.0.25 from the existing l2l VPN NAT. So I added the line

access-list NAT1 extended deny ip host 192.168.0.25 object-group OBJECTGROUP1

before this line

access-list NAT1 extended permit ip 192.168.0.0 255.255.255.0 object-group OBJECTGROUP1

and I still got no luck with it. I am not sure if I am in the right path to exclude a single host from an existing Static NAT. Any help?

Velimir Filipov · ‎04-11-2013

Can you export your nat related comands?