Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
5
Helpful
4
Replies

ASA 5510 - Multiple outside ip addresses on one ethernet port?

lonnycisco
Level 1
Level 1

‎05-09-2007 09:01 PM - edited ‎03-11-2019 03:11 AM

I have a windows server 2003 box running 2 ssl websites. Currently I am only using the windows firewall and have put both the two exteral ip addresses on one nic card.

What I want to do is the same thing just on the ASA 5510.

Is there any way to map more than one outside ip address to one ethernet interface (Ethernet0/0) and have that traffic routed to my nic as 2 different internal ips?

Ex: 23.124.124.12 -> 192.168.1.100

23.124.124.13 -> 192.168.1.101

Then in iis i would select the internal ip addresses for each site and hopefully the ssl certificates would still work?

Thanks,

Mike

Labels:
0 Helpful
4 Replies 4

hoogen_82
Level 4
Level 4

‎05-09-2007 09:40 PM

Hmm.. two static nat should solve your problem

static(inside,outside) 23.124.124.12 192.168.1.100 netmask 255.255.255.255

static(inside,outside) 23.124.124.13 192.168.1.101 netmask 255.255.255.255

HTH

Hoogen

lonnycisco
Level 1
Level 1
In response to hoogen_82

‎05-09-2007 10:10 PM

Expanding on the first question how would you tell the router:

I only want to allow access to ip address 23.124.124.12 from these wan ip addresses

xx.xx.xx.xx and zz.zz.zz.zz ...

and

I only want to allow access to ip address 23.124.124.13 from these wan ip addresses

yy.yy.yy.yy and aa.aa.aa.aa ...

I will be taking the server down on Friday so I can test the code then.

Thanks again.

0 Helpful

hoogen_82
Level 4
Level 4
In response to lonnycisco

‎05-10-2007 05:42 AM

Along with your NAT statements you would be specifying the access-list which would look like:

access-list outside extended permit ip xx.xx.xx.xx host 23.124.124.12

access-list outside extended permit ip zz.zz.zz.zz host 23.124.124.12

Similarly

access-list outside extended permit ip yy.yy.yy.yy host 23.124.124.13

access-list outside extended permit ip aa.aa.aa.aa host 23.124.124.13

HTH

Hoogen

0 Helpful

laurent.geyer
Level 1
Level 1

‎05-10-2007 06:53 AM

Alternatively to the already suggested public to private static translations you can also do following.

static (inside,outside) 23.124.124.12 23.124.124.12 netmask 255.255.255.255

static (inside,outside) 23.124.124.13 23.124.124.13 netmask 255.255.255.255

route inside 23.124.124.12 192.168.1.100

route inside 23.124.124.13 192.168.1.100

Rather than adding 192.168.1.101 as second IP address for the server you add the two public IPs.

This seems like a more complicated setup at first, but it has the benefit of making it a lot clearer what public IP addresses are currently associated with a given webserver.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card