06-23-2008 10:21 AM - edited 02-21-2020 02:53 AM
Our ISP gave us a range of real internet ip address (10.1.1.1 to 10.1.1.15 for example).
We have domain names registered to some of the ip addresses (ie www.webserver1.com -> 10.1.1.1, www.webserver2.com -> 10.1.1.2, etc).
My outside interface on the asa 5510 is already assigned 10.1.1.1. How do I assign .2 to it?
ip address 10.1.1.2 255.255.255.0 secondary doesn't seem to work for asa.
06-23-2008 10:46 AM
If i understand correctly you have some servers that you presenting with public IP addresses to the Internet ? If these servers have private addresses then you don't need to assign the additional addresses to the outside interface. An example
web server = 192.168.5.2
Public IP address used for web server 10.1.1.2
You web server is on a dmz on the ASA and the dmz interface is called DMZ.
static (DMZ,outside) 10.1.1.2 182.168.5.2 netmask 255.255.255.255
The above statement tells the ASA that any traffic received on the outside interface for 10.1.1.2 should be changed to 192.168.5.2 and sent out the inside interface.
Hope this makes sense and answers your question.
Jon
06-23-2008 11:09 AM
Actually this is the scenario:
We have an ISA 2004 FW right now that have multiple internet ip addresses bound to the outside NIC. ie, 10.1.1.1, 10.1.1.2, 10.1.1.3, etc.
We want to eventually replace the ISA 2004 with the ASA 5510. So what I want to do is, in addition to the existing 10.1.1.1, I want to bind .2, .3, etc. to the same outside interface.
Our domain names point to diff internet ip addresses.
ie, www.webserver1.com points to .1
www.webserver2.com points to .3
and so on...
06-23-2008 07:49 PM
i think only you need to make static NAT as mentioned above
you dont need to give secondery ip to the asa
just give your web server1 private address such as (20.1.1.1) and ur pub address 10.1.1.1
webserver2 10.1.1.2(20.1.1.2) and they are in ur inside
static (inside, outisde) tcp 10.1.1.1 http 20.1.1.1 http netmask 255.255.255.255
this is staic pat because the server1 has the same ip adress to the firewall outide interface
secondly and also for all other config (will be identical)
static (inside, outide) 10.1.1.2 20.1.1.2 netmask 255.255.255.255
and dont forget to permit the inbound connection destened to your webservers (10.1.1.1,10.1.1.2,.. public IPs)
rate if helpful,
thank you and let me know
06-25-2008 07:34 AM
I guess I should be much clearer and specify.
As an example similar to our scenario, currently we have these dns names registered:
www.webserver1.com -=> 10.1.1.1
www.webserver2.com -=> 10.1.1.1
www.webserver3.com -=> 10.1.1.2
www.webserver4.com -=> 10.1.1.3
On our ISA, 10.1.1.1, 10.1.1.2, and 10.1.1.3 are bound to the outside NIC. The internal NIC has 172.17.193.1.
Our webservers are 172.17.193.2 and 172.17.193.3.
On our ISA, we have the follow rules:
Any request for the dns name www.webserver1.com, redirect to 172.17.193.2.
Any request for the dns name www.webserver2.com, redirect to 172.17.193.2.
Any request for the dns name www.webserver3.com, redirect to 172.17.193.3.
Any request for the dns name www.webserver4.com, redirect to 172.17.193.3.
Are the above possible to be duplicated on the ASA 5510?
06-25-2008 02:07 PM
We have a similar setup with our 5510 and it is easily done. You don't actually bind the address to the outside interface. You simply create your static nat from the outside (web address) to the inside (server address) or vice versa and create the acl specifying the type of traffic (http/https) allowed to hit your webservers.
06-26-2008 06:10 AM
Registered: www.webserver1.com -=> 10.1.1.1
Registered: www.webserver2.com -=> 10.1.1.1
Any request for the dns name www.webserver1.com, redirect to 172.17.193.2.
Any request for the dns name www.webserver2.com, redirect to 172.17.193.3.
You mean do the below???
Static (inside,outside) tcp 10.1.1.1 80 172.17.193.2 80 netmask 255.255.255.255
Static (inside,outside) tcp 10.1.1.1 80 172.17.193.3 80 netmask 255.255.255.255
I dont' see how the asa would be able to distinguish what goes where if it's based on IP address of 10.1.1.1. The only way the proper redirection will work if ASA looks at the domain name request...??? But I can't seem to find the option to use DNS name instead of IP address??
06-26-2008 06:23 AM
try this and let me know
lets say ur DNS server on the inside network with IP 172.17.193 10 ur domain name servers.local
do the following commands:
dns domain-lookup inside
dns name-server 172.17.193.10
(optional)
domain-name servers.local
and keep ur nat config and dont forget to make to proper ACLs on ur outside interface and maybe inside too (such as port 53 for dns, www...)
the following info from ciscopress
If you are running ASA 7.2(1) or later, the firewall can
use DNS to resolve the IP address in a URL.
Make sure you use the following commands to configure DNS resolution on a specific
firewall interface, the firewall's default domain name, and one or more DNS addresses:
Firewall(config)# dns domain-lookup if_name
Firewall(config)# dns server-group name
Firewall(config-dns-server-group)# domain-name name
Firewall(config-dns-server-group)# name-server ip_addr [ip_addr2] [...]
[ip_addr6]
Firewall(config-dns-server-group)# retries number
Firewall(config-dns-server-group)# timeout seconds
Firewall(config-dns-server-group)# exit
good luck
rate if helpful
06-26-2008 08:14 AM
Yes, support.edm you are right, I don't think it would be able to distinguish where to send traffic with both domain names pointing to the same IP and different back end servers. I was confused by the different IP's in your posts.
You can try marwanshawi's suggestions but I am not familiar with that.
We have always broken our websites out to different public IP's using the static statements and the proper ACL. It makes for a simpler config if you have the address space.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide