05-20-2008 10:23 AM - edited 03-03-2019 10:01 PM
I am going to have to setup an ASA 5505. I will have citrix and microsoft exchange sitting behind the ASA. should i just use one ip address and forward ports as needed, or should i use a seperate IP for citrix, exchange, asa public, etc.
Thanks for any responses, Bill
Solved! Go to Solution.
05-20-2008 10:52 AM
Bill
If you have the addresses available I would advocate for using separate addresses for each server. In that case you will need just a straight static translation for each address. It is more simple and more clean. It is also a bit more obvious and that could be an advantage if something is not working and you are in the middle of troubleshooting.
HTH
Rick
05-20-2008 11:52 AM
Bill
No you don't need to do this. As long as the public IP addresses are routed to the outside interface of your firewall then you only need to configure one address on the public interface eg.
212.17.10.0 255.255.255.240
Outside interface of ASA
212.17.10.2 255.255.255.240
Inside interface of ISP router
212.17.10.1 255.255.255.240
Then the rest of the addresses you can use as
static (inside,outside) 212.17.10.3 192.168.5.1 netmask 255.255.255.255
where 192.168.5.1 is one of your internal servers.
The ASA will then respond to any traffic destined for 212.17.10.3, NAT it 192.168.5.1 and forward it on to the internal server.
Obviously you need to allow the traffic from the outside with an access-list.
Also your servers may be on a DMZ in which case just substitute the "inside" in your static statement with whatever the DMZ interface is called.
Jon
05-20-2008 10:52 AM
Bill
If you have the addresses available I would advocate for using separate addresses for each server. In that case you will need just a straight static translation for each address. It is more simple and more clean. It is also a bit more obvious and that could be an advantage if something is not working and you are in the middle of troubleshooting.
HTH
Rick
05-20-2008 11:33 AM
Rick,
thanks for the response. i assume that i will need to configure the public interface on the ASA with all public ip address?
thanks again, Bill
05-20-2008 11:48 AM
Bill
Yes the public interface would get public addresses.
HTH
Rick
05-20-2008 11:52 AM
Bill
No you don't need to do this. As long as the public IP addresses are routed to the outside interface of your firewall then you only need to configure one address on the public interface eg.
212.17.10.0 255.255.255.240
Outside interface of ASA
212.17.10.2 255.255.255.240
Inside interface of ISP router
212.17.10.1 255.255.255.240
Then the rest of the addresses you can use as
static (inside,outside) 212.17.10.3 192.168.5.1 netmask 255.255.255.255
where 192.168.5.1 is one of your internal servers.
The ASA will then respond to any traffic destined for 212.17.10.3, NAT it 192.168.5.1 and forward it on to the internal server.
Obviously you need to allow the traffic from the outside with an access-list.
Also your servers may be on a DMZ in which case just substitute the "inside" in your static statement with whatever the DMZ interface is called.
Jon
05-20-2008 12:25 PM
Jon
I think that perhaps we are trying to say the same thing from slightly different perspectives. In the original post the question was:
"should i just use one ip address and forward ports as needed, or should i use a seperate IP for citrix, exchange, asa public, etc."
My response was that a single address with port forwarding was overly complex. That is essentially the same thing that you are saying. Your response is much more specific about doing the translations but still assumes that he will use a group of public addresses associated with the public interface.
HTH
Rick
05-20-2008 12:27 PM
Rick
I agree that using individual addresses is the simplest approach.
It's one of those things where interpretation of the question comes in. I thought Bill was asking if all the public IP addresses that were allocated would actually need to be configured on the ASA outside interface which obviously isn't needed.
Jon
05-20-2008 12:35 PM
Jon
agreed that there is interpretation of the question which leads to different emphases. and certainly agreed that the outside interface needs only a single address configured.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: