varrao Fri, 09/09/2011 - 13:55

Hi Douglas,

i am not really sure about your question, are you talking about assigning multiple ip's to the outside interface of the ASA, if that is the case, then on the ASA interface you can assign only one public ip, not multiple.



Douglas Sensenig Sun, 09/11/2011 - 17:17

Hi Varun,

Yes, that is what I am talking about. I want to use my Cisco ASA to put a several servers behind the firewall in a DMZ. The outside interface of my Cisco ASA is a public IP address and I want to put several servers which have have public IP addresses in the DMZ behind out firewall. Is this possible?


cmadiam82 Sun, 09/11/2011 - 18:37

Hi Douglas,

What I know is you cannot assign multiple ip addresses on your asa outside interface or even on you inside and dmz interfaces unless you will be using VLAN but this will result on different network.

If you want to put or publish your server, first you must do is check if your ISP give you a block of IP Add (/28 /29) and you can use this IP Add to map to your dmz servers. Actually, you can use a single ip add to map it to your dmz servers using port mapping.



gfortune007 Fri, 10/09/2015 - 11:13


i want to configure two server on Asa 5505 with a different IP public.

i got a range of IP address, and i configure the two server. i'm using the asdm launcher.

exp:  to ip public  to ip public


want to make the NAT


who can help me,


FlorianCokl Wed, 10/14/2015 - 06:59


I would recommend the following:

  • create objects for servers and public WAN-addresses at Configuration->Firewall->Objects->NetworkObjects/Group
  • then utilize the Public Servers menu from ASDM at Configuration->Firewall->PublicServers
  • Do you need further assistance -> email me


Please, rate helpful answers

jcruznycl8381 Fri, 02/05/2016 - 07:06

Group we are looking to do something similar.  We currently have a /29 on the public interface.  ISP gave us another /28 which we would like to use.  The issue we are having is the current IP's 207.10.X.X are mapped to the Outside interface.  We would like to use the same interface for the new block in addition.  We have created a NetObj 40.131.X.X which we will use for NAT to internal server.  How do we get the traffic from the web to hit NAT?

Regards and thanks for any direction.

varrao Sun, 09/11/2011 - 21:01

Hi Doug,

Yes, if you want to publish several servers behind the firewall, then it is very much possible to nat them on the ASA, lets say you have a block of public ip's from the ISP, then:

static (dmz,outside)

static (dmz,outside)

static (dmz,outside)

static (dmz,outside)

This is how you do it.

Let me know if you have anymore confusion.



Douglas Sensenig Mon, 09/12/2011 - 03:22

Good Morning,

Then they would lose their public IP Addresses would they not? If one wanted to keep their public IP addresses in the DMZ is that possible? Is this a limitation of the 5505? And yes the veil of ignorance is slowly being removed and the confusion is subsiding.

Years ago, when using a Netscreen 204, I believe we were able to have 64 IP addresses bound to the outside interface. Then again, maybe it was a routing issue where the ISP's router routing table pointed all of our IP Address to the outside interface of our firewall.

My company is using a 6509 which sits between the ISP's routers and the rest of our networks. Does that matter or change anything?

All the best!


varrao Mon, 09/12/2011 - 03:39

Ohhhhhh....I guess I get it, correct me if I am wrong, you want to directly assign public ip on the dmz servers itself, rather than natting the public ip to the private ip on the server, well yes, it is very much possible, but there are two conditions:

1. The public ip range for the dmz server should be totally different subnet than the one that is used for the outside interface.

2. The ISP should route the second subnet of public ip's as well to be routed to your firewall.

So if you're outside interface IP is

dmz sgould be a different public ip range

This is because you can not assign to public ip's of same range on the two interfaces on ASA.

and then lets say you assign a static ip on a server in dmz as

so the config on firewall woudl be

static (dmz,outside)

and it woudl definitely work for you.

Hope this helps



Douglas Sensenig Sat, 09/17/2011 - 03:00


Thank you for taking you time to answer my questions. I ended up natting a public IP address.


varrao Sat, 09/17/2011 - 03:03

Hey thanks for getting back to me....glad to you overcame the issue


Rafael Hengky Tue, 01/05/2016 - 19:26

Hi Varun,

Hope this post could reach you since this thread is 4 years old. So I have 2 public IP segments from my ISP. And I have used all IPs from the first segment and want to utilize the second one. How can I achieved this since ASA can't assign 2 IPs on same interface (outside)?  I have tried adding NAT rules using the second IP segment but it doesn't work (my DMZ servers can't be reached from outside).

Please help me out on this.



FlorianCokl Sun, 06/23/2013 - 05:34

Hello Douglas,

you don't need to assign multiple IP-addresses - the trick is the MASK besides that you tell ASA where to find the default gateway.

The rest is icing on a cake, and you achive this with the help of NAT.

Lets say you're provided a network with a mask of, then nets, or subnets, jump on the number 8.

  • 1. net: X.X.X.0, with 7 being the broadcast, 1 the first usable (usually the DFGW) leaving you 5 addresses
  • 2. net: X.X.X.8, with 15 being the broadcast, 9 the first usable leaving you 5 addresses
  • 3. net: X.X.X.16, with 23 being the broadcast, 17 the first usable, leaving you 5 adresses
  • and so forth

Lets take the 3rd example here, and configure the outside interface with a mask of and the address of X.X.X.18 (the first usable besides the DFGW), or X.X.X.22 (the last usable if 17 was taken by the DFGW) - we stick with 18.

  • If you want your mail to be available through X.X.X.19 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.19 (create a object like "WAN-ADDRESS-19" and give it the address X.X.X.19, and don't forget the ACLs!).
  • If you want your webservices to be available through X.X.X.20 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.20 (create a object like "WAN-ADDRESS-20" and give it the address X.X.X.20, and don't forget the ACLs!).

That all works through 1 cable, 1 interface assigned with the right MASK

Hope that clears the skys?

Pls, rate right answers!

FlorianCokl Wed, 10/14/2015 - 07:01

Hi Douglas,

do you still need help with ASA, NAT, ACL, reachability from outside?



This Discussion

Related Content