Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5515-X multiple external IPs on one outside interface....

I have a /29 network provided by my ISP and I also have an internal /24 network. Outbound internet works OK. I would like to be able to receive inbound traffic (HTTPS) on X.X.X.211 on my main Outside interface (which has an IP address of X.X.X.210). I'm looking for secondary IP type functionality. I understand the ASA is not a router but certainly there must be a way to allow for inbound traffic on more than one external IP without having to use multiple 'outside' interfaces.

external network: X.X.X.208 /29

internal network: 192.168.2.0 /24

ISP endpoint:         X.X.X.209

my ASA endpoint:  X.X.X.210

inbound https:        X.X.X.211 (not working)

: Saved

:

ASA Version 9.1(1)

!

hostname SSIASA1

domain-name X

enable password 8b/6zhsslX6MGlCt encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif Inside

security-level 100

ip address 192.168.2.200 255.255.255.0

!

interface GigabitEthernet0/1

nameif Outside

security-level 0

ip address X.X.X.210 255.255.255.248

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 192.168.2.2

name-server 192.168.2.52

domain-name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network TMG

host 192.168.2.1

object network Public_IP_1

host X.X.X.211

description Cogent IP Block

object network Public_IP_2

host X.X.X.212

description Cogent IP Block

object network Public_IP_3

host X.X.X.213

description Cogent IP Block

object network Public_IP_4

host X.X.X.214

description Cogent IP Block

object network Internal_Network

subnet 192.168.2.0 255.255.255.0

object network SRVNJ04

host 192.168.2.4

object network WSNJ22

host 192.168.2.98

object network SSINGINX1

host 192.168.2.7

description NGINX1

object network Cogent_Outside

host X.X.X.209

description Cogent outside interface

object network Cogent_Inside

host X.X.X.210

object service https

service tcp source eq https destination eq https

description https

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

icmp-object source-quench

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object udp

service-object tcp

service-object tcp destination eq www

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object udp destination eq tftp

object-group network DM_INLINE_NETWORK_1

network-object 192.168.2.0 255.255.255.0

network-object X.X.X.208 255.255.255.248

object-group icmp-type DM_INLINE_ICMP_2

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object unreachable

object-group service DM_INLINE_SERVICE_3

service-object ip

service-object udp

service-object tcp

service-object tcp destination eq www

object-group service DM_INLINE_SERVICE_4

service-object ip

service-object udp

service-object tcp

service-object tcp destination eq www

access-list Inside_access_in remark allow specific traffic to Inside network

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list Inside_access_in remark allow ICMP to Inside network

access-list Inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

access-list Inside_access_in remark allow TFTP to SRVNJ04 (for CISCO ASA config backups) from Internal

access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Internal_Network object SRVNJ04

access-list Inside_access_in remark allow https traffic to NGINX from inside/outside

access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SSINGINX1 eq https

access-list Outside_access_in remark allow specific traffic from Cogent to Outside network

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Cogent_Outside X.X.X.208 255.255.255.248

access-list Outside_access_in remark allow specific traffic from Inside to Outside

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 192.168.2.0 255.255.255.0 X.X.X.208 255.255.255.248

access-list Outside_access_in remark allow ICMP from inside to external IPs

access-list Outside_access_in extended permit icmp 192.168.2.0 255.255.255.0 X.X.X.208 255.255.255.248 object-group DM_INLINE_ICMP_2

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 10 burst-size 5

icmp permit any Inside

icmp deny any echo-reply Outside

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Inside,Outside) source dynamic any Public_IP_2 description internet access

nat (Outside,Inside) source static any interface destination static Public_IP_1 SSINGINX1 service https https net-to-net description https inbound

access-group Inside_access_in in interface Inside

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 X.X.X.209 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 444

http 192.168.10.0 255.255.255.0 management

http 192.168.2.98 255.255.255.255 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.2.98 255.255.255.255 Inside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username X password 9tQ.Tz4SMB4I.AdH encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp error

class class-default

  set connection decrement-ttl

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:7908a72c2aa2c00f0fb4686913351dca

: end

1 REPLY
Super Bronze

ASA 5515-X multiple external IPs on one outside interface....

Hi,

All the other IP addresses from the public subnet will be handled through NAT and Proxy ARP so that the ISP GW can forward traffic towards your firewall.

Your current NAT configuation for the internal server is incorrect. Also it doesnt need to be Static PAT (Port Forward) as you have free public IP addresses so you could configure Static NAT

object network SERVER

host

nat (Inside,Outside) static

access-list Outside_access_in extended permit tcp any object SERVER eq https

The above filled with the correct IP addresses should make it works for you.

I would also change the Dynamic PAT configuration you have since its at very high priority. This might naturally cause a small outage on the outbound connections as you change the NAT

nat (Inside,Outside) after-auto source dynamic any Public_IP_2

no nat (Inside,Outside) source dynamic any Public_IP_2 description internet access

You could also remove the current NAT configuration for the server since it wont work.

no nat (Outside,Inside) source static any interface destination static  Public_IP_1 SSINGINX1 service https https net-to-net description https  inbound

Hope this helps

- Jouni

780
Views
0
Helpful
1
Replies