cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2482
Views
5
Helpful
10
Replies

ASA 8.4 - How to setup additional Public IP's on outside interface?

david
Level 1
Level 1

Hi All, I'm having some trouble getting my additional IP addresses working on my ASA 5510.  I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface.   However, I now need to setup a second IP address that maps internally to a different web server.  When I setup a new network object with automatic NAT translation to the new IP address, it does not work.  If I setup the same scenario using the outside interface, it works fine.  Am I missing a step?  What is the proper way to setup additional IP address on my ASA v8.4?  Thanks!     

2 Accepted Solutions

Accepted Solutions

It could possibly be a routing issue with your ISP.

You can test this, to see whether your ISP route traffic to your circuit in question.

You can get a SOHO DSL router and assign either one of the IP .250 or .251 with gateway .254 and trying access to web-browsing and see if trying your ISP route traffic to your circuit.

thanks

View solution in original post

It is quite odd since you have verified the usability of the two problem addresses. You've only given us part of your configuration file - TAC would normally suspect something else in the config using those addresses.

Personally I would not use:

object network webserver1

nat (any,any) static x.x.x.250 service tcp www www

But rather would specify the interfaces e.g. nat (outside, inside)

Re TAC cases on devices without a support contract - last I checked most Cisco devices come with 90 day product warranty - covering hardware failures or software defects. Configuration issues, no matter how vexing, are not covered.

View solution in original post

10 Replies 10

rizwanr74
Level 7
Level 7

Hi David,

Have you tried as shown below.

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic 209.165.201.3

object network obj-10.1.1.0

subnet 10.1.1.0 255.255.255.0

nat (inside,outside) dynamic 209.165.201.4

thanks

Hi rizwanr, My commands look a bit different.  Maybe because I'm using ASDM?  Anyway, after poking around some more, I have some additional findings.  I have a public /29 (x.x.x.249 through .254).  The Default Gateway is .254.  I've setup my outside interface as .249, which works fine both for outbound surfing and inbound web server access.  However, when I try to use .250 or .251, I cannot access the same internal web server, but if I use .252, .252 or .253, it works!?!?  Really strange why 2 of my 6 addresses will not work for static NAT.  Here are the relevant commands in my config >

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.249 255.255.255.248

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif inside

security-level 100

ip address x.x.1.5 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address x.x.96.5 255.255.255.0

management-only

!

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network webserver1

host x.x.1.212

access-list outside_access_in extended permit tcp any object webserver1 eq www
access-group outside_access_in in interface outside

object network obj_any
nat (inside,outside) dynamic interface

object network webserver1
nat (any,any) static x.x.x.250 service tcp www www

It could possibly be a routing issue with your ISP.

You can test this, to see whether your ISP route traffic to your circuit in question.

You can get a SOHO DSL router and assign either one of the IP .250 or .251 with gateway .254 and trying access to web-browsing and see if trying your ISP route traffic to your circuit.

thanks

If you've been making changes to your NAT configurations you might also add the step of "clear xlate" in between to make sure you don't have any stale translation table entries.

Another possibility is a stale arp cache on your ISPs upstream device. You'd have to get them to clear their arp cache or ping the new address to straighten that out.

rizwanr, was thinking the same thing on my way home Friday.  This morning I applied each external IP to my laptop while connected to ISP modem and I was able to ping and tracert successfully to 4.2.2.2 with all IP's so all appears well with the IP range.

Marvin, great thought and considering my pix background, I should have remembered that one.  However, it didn't buy me anything and a sh xlate shows the correct translation.  It's really strange because only 2 of the 6 IP's are affected by this issue.  I even tried allowing tcp-any as opposed to only www, but that didn't help either.   I guess I can factory default the ASA and start over to see what happens....       

Still no luck.  I've tried everything including resetting to Factory default. 

On a side note, this 5510 is brand new so I tried to open a TAC case, but was told that it is not covered.  I thought that Cisco ASA's came with one year of support? 

It is quite odd since you have verified the usability of the two problem addresses. You've only given us part of your configuration file - TAC would normally suspect something else in the config using those addresses.

Personally I would not use:

object network webserver1

nat (any,any) static x.x.x.250 service tcp www www

But rather would specify the interfaces e.g. nat (outside, inside)

Re TAC cases on devices without a support contract - last I checked most Cisco devices come with 90 day product warranty - covering hardware failures or software defects. Configuration issues, no matter how vexing, are not covered.

Wanted to let you guys know that this mysteriously started working.

I was able to open a TAC case since we're a large Cisco reseller and we spent over an hour doing captures, etc. to no avail.  To prove the IP's were ok and routable, I put the test web server directly on the Internet at the .250 address and it worked fine.  When I put the web server back behind the ASA, I was then able to use all external IP's successfully.  The only other thing I did during this process was reboot the cable modem, but I'm 99% sure I tried that before with no luck.  Anyway, it's been a good learning experience for v8.4 and all appears well now.  Thanks so much for the assistance! 

Hi David,

Thank you very much sharing your experince with all.

I was wondering, then what was the source of the issue?

thanks

rizwanr, unfortunately this may be one of those issues for which we will not be able to determine a root cause.  Cisco TAC confirmed that my config was correct, but he could not figure out why traffic did not appear to arrive or pass to the troubled IP addresses.  He also thought it may be a problem with the cable circuit although Comcast said everything was fine on their end and a Windows box had no trouble using and routing those same IP's.  My best guess is that the cable modem reboot cleared the issue, but it doesn't explain why I could successfully route to/from the .250 and .251 address using a windows box, but not with the ASA.  This issue mysteriously disappeared today as I prepared for another round of troubleshooting with TAC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: