08-24-2012 11:31 AM - edited 03-07-2019 08:31 AM
How would I go about giving a server on the inside interface of my ASA a public IP address. I have a /28 on the outside interface and I'd like to give a server a public IP and not NAT.
I'd not sure how to go about getting this done.
show run nat=
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup
!
object network inside-net
nat (inside,outside) dynamic interface
object network xsan-net
nat (xsan,outside) dynamic interface
object network webserver
nat (inside,any) static X.X.130.147 dns
show run route=
route outside 0.0.0.0 0.0.0.0 X.X.130.145 1
08-24-2012 11:46 AM
An easier way would be to split the /28 into 2x /29 and create another interface on the ASA and have your server sit off it.
Sent from Cisco Technical Support Android App
08-24-2012 02:16 PM
Is it not possible on the ASA to have a public IP on the inside interface?
How would I go about splitting to 2x /29. Would that be something I'd do or my ISP?
08-25-2012 10:46 AM
Hi Dru,
You can have /30 for your outside interface connected to router. You can have one /29 for your server which you can have for your DMZ interface,server and switch VLAN where you can connect... one /30 you can reserve for PAT/NAT.
Say 20.0.0.0/28 is your public IP subnet stack.
20.0.0.0/30 - 20.0.0.1 for your router and 20.0.0.2 for your outside interface of firewall.
20.0.0.4/29 - 20.0.0.5 for DMZ interface, 20.0.0.6 for Switch in DMZ, 20.0.0.7 for Server in DMZ (you can add 3 more servers and name 20.0.08,9,10 in future)
20.0.0.12/30 is the reserved subner for future use. hope this helps.
Please do rate for the helpful posts.
By
Karthik
08-25-2012 02:30 AM
It would be possible, but you would have to break a few networking rules.
What is the /28 your ISP has given you?
Sent from Cisco Technical Support Android App
08-29-2012 04:52 PM
My ISP gave me is 173.196.1.1/28
Network is configured this way: ISP <-> ASA5512 <-> Inside Catalyst Switch
The goal is to give a server on the inside the IP 173.196.1.8 without NAT. So the server itself will have 173.196.1.8 and not 192.168.0.33 translated to 173.196.1.8.
I hope that makes sense.
08-30-2012 03:54 PM
I've split my /28 into two /29s
173.196.1.0/29 and 173.196.1.8/29
The first subnet is on the outside interface (GE0/0) and the second one is on interface GE0/3 which i named public
The inside (GE0/1) is the LAN 192.168.0.0/24
So the IP address of outside interface is 173.196.1.1 and the IP to the public interface is 173.196.1.9.
Now how do configure it so my server (173.196.1.10) can go out to the internet with that IP address?
08-26-2012 08:08 AM
Splitting the /28 that way and you loose 6 IP addresses.
08-30-2012 03:55 PM
I've split my /28 into two /29s
173.196.1.0/29 and 173.196.1.8/29
The first subnet is on the outside interface (GE0/0) and the second one is on interface GE0/3 which i named public
The inside (GE0/1) is the LAN 192.168.0.0/24
So the IP address of outside interface is 173.196.1.1 and the IP to the public interface is 173.196.1.9.
Now how do configure it so my server (173.196.1.10) can go out to the internet with that IP address?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide