Multiple public IP Addresses on ASA 5505?

Unanswered Question
Sep 9th, 2011


Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2). If so, how?

Thanks in advance for your help with my request.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
varrao Fri, 09/09/2011 - 13:55

Hi Douglas,

i am not really sure about your question, are you talking about assigning multiple ip's to the outside interface of the ASA, if that is the case, then on the ASA interface you can assign only one public ip, not multiple.



Douglas Sensenig Sun, 09/11/2011 - 17:17

Hi Varun,

Yes, that is what I am talking about. I want to use my Cisco ASA to put a several servers behind the firewall in a DMZ. The outside interface of my Cisco ASA is a public IP address and I want to put several servers which have have public IP addresses in the DMZ behind out firewall. Is this possible?


cmadiam82 Sun, 09/11/2011 - 18:37

Hi Douglas,

What I know is you cannot assign multiple ip addresses on your asa outside interface or even on you inside and dmz interfaces unless you will be using VLAN but this will result on different network.

If you want to put or publish your server, first you must do is check if your ISP give you a block of IP Add (/28 /29) and you can use this IP Add to map to your dmz servers. Actually, you can use a single ip add to map it to your dmz servers using port mapping.



varrao Sun, 09/11/2011 - 21:01

Hi Doug,

Yes, if you want to publish several servers behind the firewall, then it is very much possible to nat them on the ASA, lets say you have a block of public ip's from the ISP, then:

static (dmz,outside)

static (dmz,outside)

static (dmz,outside)

static (dmz,outside)

This is how you do it.

Let me know if you have anymore confusion.



Douglas Sensenig Mon, 09/12/2011 - 03:22

Good Morning,

Then they would lose their public IP Addresses would they not? If one wanted to keep their public IP addresses in the DMZ is that possible? Is this a limitation of the 5505? And yes the veil of ignorance is slowly being removed and the confusion is subsiding.

Years ago, when using a Netscreen 204, I believe we were able to have 64 IP addresses bound to the outside interface. Then again, maybe it was a routing issue where the ISP's router routing table pointed all of our IP Address to the outside interface of our firewall.

My company is using a 6509 which sits between the ISP's routers and the rest of our networks. Does that matter or change anything?

All the best!


varrao Mon, 09/12/2011 - 03:39

Ohhhhhh....I guess I get it, correct me if I am wrong, you want to directly assign public ip on the dmz servers itself, rather than natting the public ip to the private ip on the server, well yes, it is very much possible, but there are two conditions:

1. The public ip range for the dmz server should be totally different subnet than the one that is used for the outside interface.

2. The ISP should route the second subnet of public ip's as well to be routed to your firewall.

So if you're outside interface IP is

dmz sgould be a different public ip range

This is because you can not assign to public ip's of same range on the two interfaces on ASA.

and then lets say you assign a static ip on a server in dmz as

so the config on firewall woudl be

static (dmz,outside)

and it woudl definitely work for you.

Hope this helps



Douglas Sensenig Sat, 09/17/2011 - 03:00


Thank you for taking you time to answer my questions. I ended up natting a public IP address.


varrao Sat, 09/17/2011 - 03:03

Hey thanks for getting back to me....glad to you overcame the issue


FlorianCokl Sun, 06/23/2013 - 05:34

Hello Douglas,

you don't need to assign multiple IP-addresses - the trick is the MASK besides that you tell ASA where to find the default gateway.

The rest is icing on a cake, and you achive this with the help of NAT.

Lets say you're provided a network with a mask of, then nets, or subnets, jump on the number 8.

  • 1. net: X.X.X.0, with 7 being the broadcast, 1 the first usable (usually the DFGW) leaving you 5 addresses
  • 2. net: X.X.X.8, with 15 being the broadcast, 9 the first usable leaving you 5 addresses
  • 3. net: X.X.X.16, with 23 being the broadcast, 17 the first usable, leaving you 5 adresses
  • and so forth

Lets take the 3rd example here, and configure the outside interface with a mask of and the address of X.X.X.18 (the first usable besides the DFGW), or X.X.X.22 (the last usable if 17 was taken by the DFGW) - we stick with 18.

  • If you want your mail to be available through X.X.X.19 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.19 (create a object like "WAN-ADDRESS-19" and give it the address X.X.X.19, and don't forget the ACLs!).
  • If you want your webservices to be available through X.X.X.20 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.20 (create a object like "WAN-ADDRESS-20" and give it the address X.X.X.20, and don't forget the ACLs!).

That all works through 1 cable, 1 interface assigned with the right MASK

Hope that clears the skys?

Pls, rate right answers!

Douglas Sensenig Tue, 06/25/2013 - 14:52

I appreciated you taking the time to answer my question.



Login or Register to take actions

This Discussion

Posted September 9, 2011 at 1:11 PM
Replies:10 Overall Rating:5
Views:23401 Votes:0

Related Content


Discussions Leaderboard

Rank Username Points
Jouni Forss
Julio Carvajal
Jon Marshall
Marvin Rhoads
Marius Gunnerud
Rank Username Points
Jon Marshall
Marius Gunnerud
Andre Neethling
Karsten Iwen
Jouni Forss