Solved: Add exxternal IP range

apereira · ‎08-02-2017

Hello,

I had a static IP assigned to me by my isp. Which is fine but now I have an ip range of 5 address's i would to add the second static IP and point the type of traffic coming on that to a specific internal server.

Do I need to create another interface called it outside 2 with that static Ip? Not sure

Any help would be great.

I am sure I am way off.

thanks

This is on a cisco asa 5506

Jon Marshall · ‎08-02-2017

Yes, just replicate with what you have for your existing NAT setup.

Jon

View solution in original post

Jon Marshall · ‎08-02-2017

No you don't.

As long as the ISP is routing those new IPs to your ASA then you can just use them in your NAT statements.

Jon

apereira · ‎08-02-2017

In my nat rules section, i have the following

https traffic being forwarded to internal ip 192.168.1.10 on public ip 45.73.12.42

i want another rule

https traffic being forwarded to internal ip 192.168.1.11 on public ip 45.73.12.43

Jon Marshall · ‎08-02-2017

So just add the NAT rule and obviously allow the access.

There is no requirement for the IP to be assigned to an interface.

Jon

apereira · ‎08-02-2017

I think i need to create something for public ip 45.73.12.43

right now i only have the ip of the router which is 45.73.12.42, and i have a nat stating all https traffic coming in ip 45.73.12.42 go to internal server 1,

I think i need to create something to tell it that https traffic coming in on ip 45.73.12.43 go to internal server 2.

There is nothing created or defined for ip 45.73.12.43 right now on the firewall.

Jon Marshall · ‎08-02-2017

As I said on the firewall configure a NAT statement for the new IP and update your acl and it should work fine.

Jon

apereira · ‎08-02-2017

I am really not that familiar on how to do this, quite obvious.

I am on the gui under

Firewall/NAT Rules

I dont really see a place where i can add the external IP,I see add nat rule page.

I see a network object of outside with ip 45.73.12.42, do i create another network object with 45.73.12.43

Jon Marshall · ‎08-02-2017

Yes, just replicate with what you have for your existing NAT setup.

Jon

apereira · ‎08-03-2017

I made a mistake in saying the answer is correct.

I am still not getting it to work.

Please see attached snapshots of what i have currently working with https

How do i add a second, I have tried simply using what is currently there and its nor working

Jon Marshall · ‎08-03-2017

I don't use ASDM but you will need to create new objects for the new public and private IPs.

Jon

apereira · ‎08-03-2017

OK I created the network object for the new ip .43

PLease see attached for what i did and maybe you can see what i am doing wrong

Jon Marshall · ‎08-04-2017

I can't tell from what you have posted as I don't use ASDM.

Can you possibly post the configuration and then I should be able to help you out.

Jon

apereira · ‎08-04-2017

Sure here you it is

: Saved

: 
: Serial Number: JAD1929028T
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1) 
!
hostname FW-LNALaval
enable password bgThEbkkouozdXwk encrypted
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 45.73.12.42 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface GigabitEthernet1/2.1
 description DMZ
 vlan 666
 nameif dmz
 security-level 50
 ip address 10.0.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Web-Server
 host 10.0.0.14
object service FTP-SERVICE
 service tcp destination eq ftp 
object service FTP-CRUSH_PORTS
 service tcp destination range 2000 2100 
object service RDP-SERVICE
 service tcp destination eq 3389 
object service rdp-service
 service tcp source eq 3389 
object service ftp-crush-ports
 service tcp source range 2000 2100 
object service ftp-service
 service tcp source eq ftp 
object service SFTP-Service
 service tcp source eq ssh 
object service sftp-service
 service tcp destination eq ssh 
object service https-service
 service tcp source eq https 
object network Prism-Web
 host 10.0.0.16
object service http-service
 service tcp source eq www 
object network 43
 host 45.73.12.43
object-group service ftp-crush-group
 service-object object FTP-CRUSH_PORTS 
 service-object object FTP-SERVICE 
access-list outside_access_in extended permit object RDP-SERVICE any object Web-Server inactive 
access-list outside_access_in extended permit object sftp-service any object Web-Server 
access-list outside_access_in extended permit object-group ftp-crush-group any object Web-Server inactive 
access-list outside_access_in extended permit tcp any object Web-Server eq https 
access-list outside_access_in extended permit tcp object 43 object Prism-Web eq www 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Web-Server interface service any SFTP-Service
nat (inside,outside) source static Web-Server interface service any https-service
nat (inside,outside) source static Web-Server interface service any rdp-service inactive
nat (inside,outside) source static Web-Server interface service any ftp-service inactive
nat (inside,outside) source static Web-Server interface service any ftp-crush-ports inactive
nat (inside,outside) source static Prism-Web 43 destination static 43 43 service any http-service
!
object network obj_any
 nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 45.73.12.41 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 10.0.0.12 8.8.8.8
!
dhcpd address 10.0.0.50-10.0.0.250 inside
dhcpd dns 10.0.0.12 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 10.0.1.5-10.0.1.200 dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password a/i69ivzxIdOT6vW encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:c23229a4bd2139f2d4e68d587b46da56
: end
no asdm history enable

apereira · ‎08-04-2017

OK what I tried is I added a public server, and then I added a rule in acl and it still doesn't work. Here is my config

: Saved

: 
: Serial Number: JAD1929028T
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1) 
!
hostname FW-LNALaval
enable password bgThEbkkouozdXwk encrypted
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 45.73.12.42 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface GigabitEthernet1/2.1
 description DMZ
 vlan 666
 nameif dmz
 security-level 50
 ip address 10.0.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Web-Server
 host 10.0.0.14
object service FTP-SERVICE
 service tcp destination eq ftp 
object service FTP-CRUSH_PORTS
 service tcp destination range 2000 2100 
object service RDP-SERVICE
 service tcp destination eq 3389 
object service rdp-service
 service tcp source eq 3389 
object service ftp-crush-ports
 service tcp source range 2000 2100 
object service ftp-service
 service tcp source eq ftp 
object service SFTP-Service
 service tcp source eq ssh 
object service sftp-service
 service tcp destination eq ssh 
object service https-service
 service tcp source eq https 
object network Prism-Web
 host 10.0.0.16
object service http-service
 service tcp source eq www 
object network 43
 host 45.73.12.43
object-group service ftp-crush-group
 service-object object FTP-CRUSH_PORTS 
 service-object object FTP-SERVICE 
access-list outside_access_in extended permit object sftp-service any object Web-Server 
access-list outside_access_in extended permit tcp any object Web-Server eq https 
access-list outside_access_in extended permit object-group ftp-crush-group any object Web-Server inactive 
access-list outside_access_in extended permit object RDP-SERVICE any object Web-Server inactive 
access-list outside_access_in extended permit object http-service object 43 object Prism-Web 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Web-Server interface service any SFTP-Service
nat (inside,outside) source static Web-Server interface service any https-service
nat (inside,outside) source static Web-Server interface service any rdp-service inactive
nat (inside,outside) source static Web-Server interface service any ftp-service inactive
nat (inside,outside) source static Web-Server interface service any ftp-crush-ports inactive
!
object network obj_any
 nat (any,outside) dynamic interface
object network Prism-Web
 nat (inside,outside) static 43
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 45.73.12.41 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 10.0.0.12 8.8.8.8
!
dhcpd address 10.0.0.50-10.0.0.250 inside
dhcpd dns 10.0.0.12 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 10.0.1.5-10.0.1.200 dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password a/i69ivzxIdOT6vW encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:fd04a0c347e6f95c2949cf5dd7609488
: end
no asdm history enable

Jon Marshall · ‎08-04-2017

What is the public IP ?

What is the private IP ?

What ports do you want to allow through ?

Jon