binding multiple internet ip addresses to a single physical int on asa

Unanswered Question
Jun 23rd, 2008
User Badges:

Our ISP gave us a range of real internet ip address ( to for example).

We have domain names registered to some of the ip addresses (ie ->, ->, etc).

My outside interface on the asa 5510 is already assigned How do I assign .2 to it?

ip address secondary doesn't seem to work for asa.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 06/23/2008 - 10:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If i understand correctly you have some servers that you presenting with public IP addresses to the Internet ? If these servers have private addresses then you don't need to assign the additional addresses to the outside interface. An example

web server =

Public IP address used for web server

You web server is on a dmz on the ASA and the dmz interface is called DMZ.

static (DMZ,outside) netmask

The above statement tells the ASA that any traffic received on the outside interface for should be changed to and sent out the inside interface.

Hope this makes sense and answers your question.


support.edm Mon, 06/23/2008 - 11:09
User Badges:

Actually this is the scenario:

We have an ISA 2004 FW right now that have multiple internet ip addresses bound to the outside NIC. ie,,,, etc.

We want to eventually replace the ISA 2004 with the ASA 5510. So what I want to do is, in addition to the existing, I want to bind .2, .3, etc. to the same outside interface.

Our domain names point to diff internet ip addresses.

ie, points to .1 points to .3

and so on...

Marwan ALshawi Mon, 06/23/2008 - 19:49
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

i think only you need to make static NAT as mentioned above

you dont need to give secondery ip to the asa

just give your web server1 private address such as ( and ur pub address

webserver2 and they are in ur inside

static (inside, outisde) tcp http http netmask

this is staic pat because the server1 has the same ip adress to the firewall outide interface

secondly and also for all other config (will be identical)

static (inside, outide) netmask

and dont forget to permit the inbound connection destened to your webservers (,,.. public IPs)

rate if helpful,

thank you and let me know

support.edm Wed, 06/25/2008 - 07:34
User Badges:

I guess I should be much clearer and specify.

As an example similar to our scenario, currently we have these dns names registered: -=> -=> -=> -=>

On our ISA,,, and are bound to the outside NIC. The internal NIC has

Our webservers are and

On our ISA, we have the follow rules:

Any request for the dns name, redirect to

Any request for the dns name, redirect to

Any request for the dns name, redirect to

Any request for the dns name, redirect to

Are the above possible to be duplicated on the ASA 5510?

ryanparr9 Wed, 06/25/2008 - 14:07
User Badges:

We have a similar setup with our 5510 and it is easily done. You don't actually bind the address to the outside interface. You simply create your static nat from the outside (web address) to the inside (server address) or vice versa and create the acl specifying the type of traffic (http/https) allowed to hit your webservers.

support.edm Thu, 06/26/2008 - 06:10
User Badges:

Registered: -=>

Registered: -=>

Any request for the dns name, redirect to

Any request for the dns name, redirect to

You mean do the below???

Static (inside,outside) tcp 80 80 netmask

Static (inside,outside) tcp 80 80 netmask

I dont' see how the asa would be able to distinguish what goes where if it's based on IP address of The only way the proper redirection will work if ASA looks at the domain name request...??? But I can't seem to find the option to use DNS name instead of IP address??

Marwan ALshawi Thu, 06/26/2008 - 06:23
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

try this and let me know

lets say ur DNS server on the inside network with IP 172.17.193 10 ur domain name servers.local

do the following commands:

dns domain-lookup inside

dns name-server


domain-name servers.local

and keep ur nat config and dont forget to make to proper ACLs on ur outside interface and maybe inside too (such as port 53 for dns, www...)

the following info from ciscopress

If you are running ASA 7.2(1) or later, the firewall can

use DNS to resolve the IP address in a URL.

Make sure you use the following commands to configure DNS resolution on a specific

firewall interface, the firewall's default domain name, and one or more DNS addresses:

Firewall(config)# dns domain-lookup if_name

Firewall(config)# dns server-group name

Firewall(config-dns-server-group)# domain-name name

Firewall(config-dns-server-group)# name-server ip_addr [ip_addr2] [...]


Firewall(config-dns-server-group)# retries number

Firewall(config-dns-server-group)# timeout seconds

Firewall(config-dns-server-group)# exit

good luck

rate if helpful

ryanparr9 Thu, 06/26/2008 - 08:14
User Badges:

Yes, support.edm you are right, I don't think it would be able to distinguish where to send traffic with both domain names pointing to the same IP and different back end servers. I was confused by the different IP's in your posts.

You can try marwanshawi's suggestions but I am not familiar with that.

We have always broken our websites out to different public IP's using the static statements and the proper ACL. It makes for a simpler config if you have the address space.


This Discussion