Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
5
Helpful
7
Replies

Adding another Public IP to ASA5505

Go to solution
jaykelly1
Level 1
Level 1

‎11-29-2013 10:41 PM - edited ‎03-11-2019 08:11 PM

Hello Guys,

Its been awhile since I played around with a Cisco CLI and I cant remember the proper syntax to add another Public IP to my Cisco ASA5505. I was given a block of public IP's. 108.32.83.96 - 102. Im using .97 for the outside interface and would like to use .98 for a web

server

behind the firewall.


SO I've been trying the following but it has not worked


1) created

Network

Object "WebServer"

2) Added Host 192.168.1.9

3) Added Nat (inside,Outside) static 108.32.83.98 service tcp 80 80

4) access-list OutsideWebServer permit tcp any host 192.168.1.9 eq www

5) access-group OutsideWebserver in interface outside


The above will only work when I change the address 108.32.83.98 to "interface" which then will use the outside interface. Any help will be appreciated.


Thanks

Jay

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jaykelly1

‎12-02-2013 03:37 PM

Glad to hear that we were able to make it happen,

Please now mark the question as answered

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
johnlloyd_13
Level 9
Level 9

‎11-29-2013 11:26 PM

Hi Jay,

Could you try:

object network WebServer
host 192.168.1.9
object network WebServer-Public
host 108.32.83.98
nat (inside,Outside) static WebServer service tcp 80 80

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to johnlloyd_13

‎11-30-2013 06:20 AM

Ok, check the ARP table on the ASA to confirm that nobody is using that address and check the interface netmask on the outside to confirm that the ASA will ARP for that address.

show run interface would be great.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

Go to solution
jaykelly1
Level 1
Level 1

‎11-30-2013 03:47 PM

Ive tried the above suggestion however still no luck. Below is my running config. Please take a look and let me know if I missed something.

ciscoasa# sh ru

: Saved

:

ASA Version 8.4(4)1

!

hostname ciscoasa

domain-name CommandServer.local

enable password xdmK2yQnEOr75wr1 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 108.83.32.97 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif guest

security-level 50

ip address 192.168.10.1 255.255.255.0

!

boot system disk0:/asa844-1-k8.bin

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 69.94.156.1

name-server 69.94.157.1

domain-name CommandServer.local

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object service TheDude

service tcp source eq 8080 destination eq 8080

object service Spotify

service tcp source eq 4070 destination eq 4070

description Musci Serivce

object service Http

service tcp source eq www destination eq www

object service Https

service tcp source eq https destination eq https

object network WebServer

host 192.168.1.9

object network WebServer-Public

host 108.83.32.98

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list split_ssl standard permit 192.168.1.0 255.255.255.0

access-list WebServer extended permit tcp any host 192.168.1.9 eq www

pager lines 24

logging enable

logging asdm informational

logging from-address jay.kelly@8wire.net

logging recipient-address jay.kelly@8wire.net level alerts

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool SSL_Pool2 192.168.100.1-192.168.100.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj_any-01

nat (guest,outside) dynamic interface

object network WebServer-Public

nat (inside,outside) static WebServer service tcp www www

access-group WebServer in interface outside

route outside 0.0.0.0 0.0.0.0 108.83.32.102 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 inside

snmp-server host inside 192.168.1.102 community *****

snmp-server location Closet

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd dns 69.94.156.1 69.94.157.1

dhcpd auto_config outside

!

dhcpd address 192.168.1.31-192.168.1.99 inside

dhcpd dns 192.168.1.100 4.2.2.2 interface inside

dhcpd domain CommandServer.local interface inside

dhcpd enable inside

!

dhcpd address 192.168.10.10-192.168.10.60 guest

dhcpd dns 4.2.2.2 interface guest

dhcpd enable guest

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 50.22.155.163 source outside prefer

tftp-server inside 192.168.1.102 Cisco

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.0217-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 3

anyconnect enable

tunnel-group-list enable

group-policy SSL_Policy internal

group-policy SSL_Policy attributes

vpn-tunnel-protocol ssl-client

group-policy SSL_NEWGRP internal

group-policy SSL_NEWGRP attributes

wins-server none

dns-server value 69.94.156.1 69.94.157.1

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_ssl

default-domain value CommandServer.local

username ******* password GL/xoXmNE9qoDE4g encrypted privilege 0

username ******* attributes

vpn-group-policy SSL_NEWGRP

username ****** password JG.e5Lb3X211dItD encrypted privilege 15

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

address-pool SSL_Pool2

default-group-policy SSL_Policy

tunnel-group SSL_OUTSIDE type remote-access

tunnel-group SSL_OUTSIDE general-attributes

address-pool SSL_Pool2

default-group-policy SSL_NEWGRP

tunnel-group SSL_OUTSIDE webvpn-attributes

group-alias VPNUSERS enable

group-url https://108.83.32.97/VPNUSERS enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

service call-home

call-home reporting anonymous prompt 2

call-home

contact-email-addr

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:f7ae056e448504665a843604cf30e538

: end

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jaykelly1

‎11-30-2013 11:25 PM

Hello Jay,

This configuration works when you use the IP address on the outside interface cause as soon as you do that the ASA will generate a Gratitious ARP message that will update the ARP table of the other devices

My recommendation would be the following:

object network WebServer

host 192.168.1.9

object network WebServer-Public

host 108.32.83.98

object service HTTP

service tcp source eq 80

exit

nat (inside,outside) 1 source static WebServer WebServer-Public service HTTP HTTP

Afterwards try to connect if it does not work then I would assume there is a problem with the L2 network cache of the device upstream.

I would go to the modem or whatever device and clear the ARP table or write a static ARP entry for the IP address of 108.32.83.98 pointing to the ASA outside intf MAC address.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
jumora
Level 7
Level 7
In response to Julio Carvajal

‎12-01-2013 07:58 PM

This is the configuration that you have:

object network WebServer

host 192.168.1.9

object network WebServer-Public

host 108.32.83.98

object network WebServer-Public

nat (inside,outside) static WebServer service tcp www www

Your NAT is incorrect:

object network WebServer

nat (inside,outside) static WebServer-Public service tcp www www

That is the correct configuration.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

Go to solution
jaykelly1
Level 1
Level 1
In response to jumora

‎12-02-2013 10:24 AM

That was it, its working great now.

Thanks for your help!

Jay

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jaykelly1

‎12-02-2013 03:37 PM

Glad to hear that we were able to make it happen,

Please now mark the question as answered

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card