cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
4263
Views
0
Helpful
8
Replies
Dru Goradia
Beginner

Public IP on inside interface ASA 5512

How would I go about giving a server on the inside interface of my ASA a public IP address. I have a /28 on the outside interface and I'd like to give a server a public IP and not NAT.

I'd not sure how to go about getting this done.

show run nat=

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup

!

object network inside-net

nat (inside,outside) dynamic interface

object network xsan-net

nat (xsan,outside) dynamic interface

object network webserver

nat (inside,any) static X.X.130.147 dns

show run route=

route outside 0.0.0.0 0.0.0.0 X.X.130.145 1

8 REPLIES 8
andrew.prince
Advocate

An easier way would be to split the /28 into 2x /29 and create another interface on the ASA and have your server sit off it.

Sent from Cisco Technical Support Android App

Is it not possible on the ASA to have a public IP on the inside interface?

How would I go about splitting to 2x /29. Would that be something I'd do or my ISP?

Hi Dru,

You can have /30 for your outside interface connected to router. You can have one /29 for your server which you can have for your DMZ interface,server and switch VLAN where you can connect... one /30 you can reserve for PAT/NAT.

Say 20.0.0.0/28 is your public IP subnet stack.

20.0.0.0/30 - 20.0.0.1 for your router and 20.0.0.2 for your outside interface of firewall.

20.0.0.4/29 - 20.0.0.5 for DMZ interface, 20.0.0.6 for Switch in DMZ, 20.0.0.7 for Server in DMZ (you can add 3 more servers and name 20.0.08,9,10 in future)

20.0.0.12/30 is the reserved subner for future use. hope this helps.

Please do rate for the helpful posts.

By

Karthik

andrew.prince
Advocate

It would be possible, but you would have to break a few networking rules.

What is the /28 your ISP has given you?

Sent from Cisco Technical Support Android App

My ISP gave me is 173.196.1.1/28

Network is configured this way: ISP <-> ASA5512 <-> Inside Catalyst Switch

The goal is to give a server on the inside the IP 173.196.1.8 without NAT. So the server itself will have 173.196.1.8 and not 192.168.0.33 translated to 173.196.1.8.

I hope that makes sense.

I've split my /28 into two /29s

173.196.1.0/29 and 173.196.1.8/29

The first subnet is on the outside interface (GE0/0) and the second one is on interface GE0/3 which i named public

The inside (GE0/1) is the LAN 192.168.0.0/24

So the IP address of outside interface is 173.196.1.1 and the IP to the public interface is 173.196.1.9.

Now how do configure it so my server (173.196.1.10) can go out to the internet with that IP address?

andrew.prince
Advocate

Splitting the /28 that way and you loose 6 IP addresses.

Dru Goradia
Beginner

I've split my /28 into two /29s

173.196.1.0/29 and 173.196.1.8/29

The first subnet is on the outside interface (GE0/0) and the second one is on interface GE0/3 which i named public

The inside (GE0/1) is the LAN 192.168.0.0/24

So the IP address of outside interface is 173.196.1.1 and the IP to the public interface is 173.196.1.9.

Now how do configure it so my server (173.196.1.10) can go out to the internet with that IP address?