binding multiple internet ip addresses to a single physical int on asa

Unanswered Question
Jun 23rd, 2008

Our ISP gave us a range of real internet ip address (10.1.1.1 to 10.1.1.15 for example).

We have domain names registered to some of the ip addresses (ie www.webserver1.com -> 10.1.1.1, www.webserver2.com -> 10.1.1.2, etc).

My outside interface on the asa 5510 is already assigned 10.1.1.1. How do I assign .2 to it?

ip address 10.1.1.2 255.255.255.0 secondary doesn't seem to work for asa.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 06/23/2008 - 10:46

If i understand correctly you have some servers that you presenting with public IP addresses to the Internet ? If these servers have private addresses then you don't need to assign the additional addresses to the outside interface. An example

web server = 192.168.5.2

Public IP address used for web server 10.1.1.2

You web server is on a dmz on the ASA and the dmz interface is called DMZ.

static (DMZ,outside) 10.1.1.2 182.168.5.2 netmask 255.255.255.255

The above statement tells the ASA that any traffic received on the outside interface for 10.1.1.2 should be changed to 192.168.5.2 and sent out the inside interface.

Hope this makes sense and answers your question.

Jon

support.edm Mon, 06/23/2008 - 11:09

Actually this is the scenario:

We have an ISA 2004 FW right now that have multiple internet ip addresses bound to the outside NIC. ie, 10.1.1.1, 10.1.1.2, 10.1.1.3, etc.

We want to eventually replace the ISA 2004 with the ASA 5510. So what I want to do is, in addition to the existing 10.1.1.1, I want to bind .2, .3, etc. to the same outside interface.

Our domain names point to diff internet ip addresses.

ie, www.webserver1.com points to .1

www.webserver2.com points to .3

and so on...

Marwan ALshawi Mon, 06/23/2008 - 19:49

i think only you need to make static NAT as mentioned above

you dont need to give secondery ip to the asa

just give your web server1 private address such as (20.1.1.1) and ur pub address 10.1.1.1

webserver2 10.1.1.2(20.1.1.2) and they are in ur inside

static (inside, outisde) tcp 10.1.1.1 http 20.1.1.1 http netmask 255.255.255.255

this is staic pat because the server1 has the same ip adress to the firewall outide interface

secondly and also for all other config (will be identical)

static (inside, outide) 10.1.1.2 20.1.1.2 netmask 255.255.255.255

and dont forget to permit the inbound connection destened to your webservers (10.1.1.1,10.1.1.2,.. public IPs)

rate if helpful,

thank you and let me know

support.edm Wed, 06/25/2008 - 07:34

I guess I should be much clearer and specify.

As an example similar to our scenario, currently we have these dns names registered:

www.webserver1.com -=> 10.1.1.1

www.webserver2.com -=> 10.1.1.1

www.webserver3.com -=> 10.1.1.2

www.webserver4.com -=> 10.1.1.3

On our ISA, 10.1.1.1, 10.1.1.2, and 10.1.1.3 are bound to the outside NIC. The internal NIC has 172.17.193.1.

Our webservers are 172.17.193.2 and 172.17.193.3.

On our ISA, we have the follow rules:

Any request for the dns name www.webserver1.com, redirect to 172.17.193.2.

Any request for the dns name www.webserver2.com, redirect to 172.17.193.2.

Any request for the dns name www.webserver3.com, redirect to 172.17.193.3.

Any request for the dns name www.webserver4.com, redirect to 172.17.193.3.

Are the above possible to be duplicated on the ASA 5510?

ryanparr9 Wed, 06/25/2008 - 14:07

We have a similar setup with our 5510 and it is easily done. You don't actually bind the address to the outside interface. You simply create your static nat from the outside (web address) to the inside (server address) or vice versa and create the acl specifying the type of traffic (http/https) allowed to hit your webservers.

support.edm Thu, 06/26/2008 - 06:10

Registered: www.webserver1.com -=> 10.1.1.1

Registered: www.webserver2.com -=> 10.1.1.1

Any request for the dns name www.webserver1.com, redirect to 172.17.193.2.

Any request for the dns name www.webserver2.com, redirect to 172.17.193.3.

You mean do the below???

Static (inside,outside) tcp 10.1.1.1 80 172.17.193.2 80 netmask 255.255.255.255

Static (inside,outside) tcp 10.1.1.1 80 172.17.193.3 80 netmask 255.255.255.255

I dont' see how the asa would be able to distinguish what goes where if it's based on IP address of 10.1.1.1. The only way the proper redirection will work if ASA looks at the domain name request...??? But I can't seem to find the option to use DNS name instead of IP address??

Marwan ALshawi Thu, 06/26/2008 - 06:23

try this and let me know

lets say ur DNS server on the inside network with IP 172.17.193 10 ur domain name servers.local

do the following commands:

dns domain-lookup inside

dns name-server 172.17.193.10

(optional)

domain-name servers.local

and keep ur nat config and dont forget to make to proper ACLs on ur outside interface and maybe inside too (such as port 53 for dns, www...)

the following info from ciscopress

If you are running ASA 7.2(1) or later, the firewall can

use DNS to resolve the IP address in a URL.

Make sure you use the following commands to configure DNS resolution on a specific

firewall interface, the firewall's default domain name, and one or more DNS addresses:

Firewall(config)# dns domain-lookup if_name

Firewall(config)# dns server-group name

Firewall(config-dns-server-group)# domain-name name

Firewall(config-dns-server-group)# name-server ip_addr [ip_addr2] [...]

[ip_addr6]

Firewall(config-dns-server-group)# retries number

Firewall(config-dns-server-group)# timeout seconds

Firewall(config-dns-server-group)# exit

good luck

rate if helpful

ryanparr9 Thu, 06/26/2008 - 08:14

Yes, support.edm you are right, I don't think it would be able to distinguish where to send traffic with both domain names pointing to the same IP and different back end servers. I was confused by the different IP's in your posts.

You can try marwanshawi's suggestions but I am not familiar with that.

We have always broken our websites out to different public IP's using the static statements and the proper ACL. It makes for a simpler config if you have the address space.

Actions

This Discussion