cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
561
Views
0
Helpful
7
Replies

should i use mutiple IP addresses?

bill_baxter
Level 1
Level 1

I am going to have to setup an ASA 5505. I will have citrix and microsoft exchange sitting behind the ASA. should i just use one ip address and forward ports as needed, or should i use a seperate IP for citrix, exchange, asa public, etc.

Thanks for any responses, Bill

2 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Bill

If you have the addresses available I would advocate for using separate addresses for each server. In that case you will need just a straight static translation for each address. It is more simple and more clean. It is also a bit more obvious and that could be an advantage if something is not working and you are in the middle of troubleshooting.

HTH

Rick

HTH

Rick

View solution in original post

Bill

No you don't need to do this. As long as the public IP addresses are routed to the outside interface of your firewall then you only need to configure one address on the public interface eg.

212.17.10.0 255.255.255.240

Outside interface of ASA

212.17.10.2 255.255.255.240

Inside interface of ISP router

212.17.10.1 255.255.255.240

Then the rest of the addresses you can use as

static (inside,outside) 212.17.10.3 192.168.5.1 netmask 255.255.255.255

where 192.168.5.1 is one of your internal servers.

The ASA will then respond to any traffic destined for 212.17.10.3, NAT it 192.168.5.1 and forward it on to the internal server.

Obviously you need to allow the traffic from the outside with an access-list.

Also your servers may be on a DMZ in which case just substitute the "inside" in your static statement with whatever the DMZ interface is called.

Jon

View solution in original post

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

Bill

If you have the addresses available I would advocate for using separate addresses for each server. In that case you will need just a straight static translation for each address. It is more simple and more clean. It is also a bit more obvious and that could be an advantage if something is not working and you are in the middle of troubleshooting.

HTH

Rick

HTH

Rick

Rick,

thanks for the response. i assume that i will need to configure the public interface on the ASA with all public ip address?

thanks again, Bill

Bill

Yes the public interface would get public addresses.

HTH

Rick

HTH

Rick

Bill

No you don't need to do this. As long as the public IP addresses are routed to the outside interface of your firewall then you only need to configure one address on the public interface eg.

212.17.10.0 255.255.255.240

Outside interface of ASA

212.17.10.2 255.255.255.240

Inside interface of ISP router

212.17.10.1 255.255.255.240

Then the rest of the addresses you can use as

static (inside,outside) 212.17.10.3 192.168.5.1 netmask 255.255.255.255

where 192.168.5.1 is one of your internal servers.

The ASA will then respond to any traffic destined for 212.17.10.3, NAT it 192.168.5.1 and forward it on to the internal server.

Obviously you need to allow the traffic from the outside with an access-list.

Also your servers may be on a DMZ in which case just substitute the "inside" in your static statement with whatever the DMZ interface is called.

Jon

Jon

I think that perhaps we are trying to say the same thing from slightly different perspectives. In the original post the question was:

"should i just use one ip address and forward ports as needed, or should i use a seperate IP for citrix, exchange, asa public, etc."

My response was that a single address with port forwarding was overly complex. That is essentially the same thing that you are saying. Your response is much more specific about doing the translations but still assumes that he will use a group of public addresses associated with the public interface.

HTH

Rick

HTH

Rick

Rick

I agree that using individual addresses is the simplest approach.

It's one of those things where interpretation of the question comes in. I thought Bill was asking if all the public IP addresses that were allocated would actually need to be configured on the ASA outside interface which obviously isn't needed.

Jon

Jon

agreed that there is interpretation of the question which leads to different emphases. and certainly agreed that the outside interface needs only a single address configured.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: