Solved: Cisco ASA 5505 Multiple Outside Statics Ip?

dpoynter01 · ‎12-15-2012

I have an ASA 5505 with Security Plus License

Any help would be appreciated on the scenario below. I'm more familiar with asdm gui than command line.

I have 5 Static IP Addresses from my ISP

I have the following interfaces. Outside (vlan 2) / Inside (vlan 1) / Guest (vlan 3)

For my Vlan3 guest network I have set it up so that DNS must be routed through opendns.org's DNS servers ( for web filtering, etc ) However, its using the static ip that I have plugged into the ASA.

What I would like to accomplish is to put my inside interface (vlan1) on another static ip for outside access if thats possible, so that I can route those clients through opendns.org however however giving them more web privlieges than what the guest network is getting.

Any ideas?

Mitchell Dyer · ‎12-16-2012

Looks like I misspoke for the guest statement -- it'll be a dynamic statement as well -- see below.

I labbed this out on an 8.4 5510:

Interfaces:

Interface Name IP address Subnet mask Method

GigabitEthernet0 outside 155.1.1.6 255.255.255.248 manual

GigabitEthernet1 inside 10.0.0.1 255.255.255.0 manual

GigabitEthernet2 guest 192.168.1.1 255.255.255.0 manual

NAT:

object network INSIDE

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) dynamic interface

object network GUEST

subnet 192.168.1.0 255.255.255.0

nat (guest,outside) dynamic 155.1.1.2

Capture on Gi0 showing pings from INSIDE host to 8.8.8.8:

SRC - DST

155.1.1.6 8.8.8.8 ICMP 114 Echo (ping) request id=0xb42a, seq=0/0, ttl=255

8.8.8.8 155.1.1.6 ICMP 114 Echo (ping) reply id=0xb42a, seq=0/0, ttl=255

Capture on Gi0 showing pings from GUEST host to 8.8.8.8:

SRC- DST

155.1.1.2 8.8.8.8 ICMP 114 Echo (ping) request id=0x63af, seq=0/0, ttl=255

8.8.8.8 155.1.1.2 ICMP 114 Echo (ping) reply id=0x63af, seq=0/0, ttl=255

View solution in original post

Leo Laohoo · ‎12-15-2012

Duplicate post #1

dpoynter01 · ‎12-15-2012

The first one said it didn't go through.... My original can be deleted.

Mitchell Dyer · ‎12-15-2012

Just so I'm clear, you are wanting any hosts in the Guest VLAN to NAT to the outside interface IP and any hosts connected to the Inside VLAN to NAT to a different IP in the subnet assigned to the Outside interface?

Also, what version code are you running?

Sent from Cisco Technical Support iPhone App

dpoynter01 · ‎12-15-2012

Correct, or vice vera... Have all my inside hosts nat to the outside ( since the ASA is currently running that static IP ) and have my guest hosts nat outside to another static ip basically so i can setup to opendns.org accounts for web filtering/security giving guests limited access and giving insides users moderate browsing privlieges.

Mitchell Dyer · ‎12-15-2012

Assuming you're running 8.3+, where inside, outside and guest are the names of your security zones:

object network INSIDE-Subnet

network n.n.n.n m.m.m.m

nat (inside,outside) dynamic interface

object network GUEST-Subnet

network n.n.n.n m.m.m.m

nat (guest,outside) static

If you're running 8.2 it'll look quite abit different, but this should do it:

global (outside) 1 interface

global (outside) 2 mask

nat (inside) 1

nat (guest) 2

Both examples are shown with the inside hosts translated to the interface IP, while the guest hosts are translated to an alternate IP.

Hope this helps.

dpoynter01 · ‎12-15-2012

Thanks for the quick reply... sorry i forgot to mention it. I am running ASA 9.0.1 and ASDM 7.0.2

I kinda see what your doing but I'm still learning the command line at the moment. So as far as the GUI goes can you give me a little bit more direction on what I need to change?

From what I am seeing I need to edit my network inside object to reflect the outside public ip and guest network object to reflect my second outside public ip?

Mitchell Dyer · ‎12-15-2012

Sorry I don't have any lab equipment that runs ASDM 7.0.2, and honestly intend to shy away from the GUI, I get lost too easily.

As for the objects, you are simply defining the inside network as an object and associating a NAT statement with it.

If you can post a "sh run nat" and "sh run static" I can walk you through the CLI config you have.

Sent from Cisco Technical Support iPhone App

dpoynter01 · ‎12-15-2012

This is my asa which is not the one I plan on doing this too, but they both have the same setup.

sh run nat:

nat (inside,outside) source static Site-A-Network Site-A-Network destination static Site-B-Network Site-B-Network no-proxy-arp route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.50.50.0_25 NETWORK_OBJ_10.50.50.0_25 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network Web-Server

nat (inside,outside) static interface service tcp www www

object network obj-Guest

nat (Guest,outside) dynamic interface

object network Spiceworks

nat (inside,outside) static interface service tcp 8080 8080

object network Web-Server-SSL

nat (inside,outside) static interface service tcp https https

object network RemoteDesktop

nat (inside,outside) static interface service tcp 3389 3389

________________________________________________________

sh run static doesn't return anything my isp is dynamic though

dpoynter01 · ‎12-15-2012

When I am trying to configure this in GUI I already have an inside-network/8 and a guest-network/24 do I want to modify them or do I create a new network object as you specified? Is this below configuration translating right

object network INSIDE-Subnet

subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

object network GUEST-Subnet

network 192.168.2.0 255.255.255.0
nat (guest,outside) static 123.456.789.0

Mitchell Dyer · ‎12-15-2012

You don't need to create an object for the NATd guest address.

You can use existing objects, the translation statements you posted look correct, the static statement may need the "mask" command following the outside address you are NATing to, followed by the subnet mask of course.

Sent from Cisco Technical Support iPhone App

dpoynter01 · ‎12-16-2012

So it should look something like this?

object network INSIDE-Subnet

subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

object network GUEST-Subnet

network 192.168.2.0 255.255.255.0
nat (guest,outside) static 123.456.789.0 255.255.255.248

Mitchell Dyer · ‎12-16-2012

Looks like I misspoke for the guest statement -- it'll be a dynamic statement as well -- see below.

I labbed this out on an 8.4 5510:

Interfaces:

Interface Name IP address Subnet mask Method

GigabitEthernet0 outside 155.1.1.6 255.255.255.248 manual

GigabitEthernet1 inside 10.0.0.1 255.255.255.0 manual

GigabitEthernet2 guest 192.168.1.1 255.255.255.0 manual

NAT:

object network INSIDE

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) dynamic interface

object network GUEST

subnet 192.168.1.0 255.255.255.0

nat (guest,outside) dynamic 155.1.1.2

Capture on Gi0 showing pings from INSIDE host to 8.8.8.8:

SRC - DST

155.1.1.6 8.8.8.8 ICMP 114 Echo (ping) request id=0xb42a, seq=0/0, ttl=255

8.8.8.8 155.1.1.6 ICMP 114 Echo (ping) reply id=0xb42a, seq=0/0, ttl=255

Capture on Gi0 showing pings from GUEST host to 8.8.8.8:

SRC- DST

155.1.1.2 8.8.8.8 ICMP 114 Echo (ping) request id=0x63af, seq=0/0, ttl=255

8.8.8.8 155.1.1.2 ICMP 114 Echo (ping) reply id=0x63af, seq=0/0, ttl=255

dpoynter01 · ‎12-16-2012

I will give this a try next weekend. Looks like that should do the trick! Thanks

dpoynter01 · ‎12-16-2012

So the following setup like you provided in your last post will allow my inside network to stay on the same outside public ip which i specified as the outside static and then provide the guest network another outbound outside address