Re: 5505 8.2 pat second public ip address

asentchernaev · ‎01-20-2011

Hi, I have two 5505 asa in two offices -making dynamic nat and vpn one by another. Everything works fine.

Now I have to make additional vlan (DMZ) at first asa, put there one server, and make it visible from internet but not on the public IP I already have configured on ouside interface, but on the second one. As following:

internal private IP address at the moment - 10.26.1.1/24 (internal computers using dynamic nat via a.a.a.2)

DMZ vlan should be - 192.168.168.1/30 and server will be 192.168.168.2/30

provider gateway - a.a.a.1/28

first public IP (already configured as outside ip address) -a.a.a.2/28

second public IP from the same subnet (still not used but given from ISP) - a.a.a.3/28 -----> this must be configured staticly to map to 192.168.168.2 so whatever comes to a.a.a.3 to be pushed to 192.168.168.2 staticly and undependandly of the port number.

Can't find this in documentation. I saw such configuration in one PIX device before, I think it was without configuring second IP on the interface but only as access list and nat rule, but not pretty sure...

Thanks in advance

manish arora · ‎01-20-2011

Given that you are using pre 8.3 version , it would be something like :-

asa(config)# static (DMZ,outside) a.a.a.3 192.168.168.2 netmask 255.255.255.255

Manish

asentchernaev · ‎01-20-2011

The version is 8.3, not 8.2..it was writing error. But I've already resolved this -

1. creating object a.a.a.3,

2.creating another object 10.26.1.200 (server)

3. making static nat for object2 to object 1

4. opening outside firewall for ip traffic from any to 10.26.1.200.

tested!

Thank you for the answer, it still was useful

Sincerely,

Asen