Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA: How to connect server with a external IP address already assigned?

Any ideas how this can be done on a ASA? There was a sonicwall in place but it just died and we do not have a replacement besides this ASA. The 24.172.x.132 is a spam filter and I can't change the IP address. It needs to be able to access one server in the LAN.Capture.PNG

Everyone's tags (2)
8 REPLIES

ASA: How to connect server with a external IP address already as

Hello Jason,

You could configure port forwarding for both the DMZ server and the Inside server.

What traffic do you need to route to the DMZ server

What traffic do you need to route to the Inside server

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA: How to connect server with a external IP address already as

Note: Both 24.172.X.X address are on the same subnet

I need both servers to send mail traffic back and forth.

ASA: How to connect server with a external IP address already as

Hello Jason,

They are on different subnets, but they get natted to the same Ip address, right? because inside is 10.x.x.x.x and dmz is x.x.x.x

The configuration would be:

static (inside,outside) tcp 24.172.x.x  2525 10.10.x.58 25

static (dmz,outside) tcp 24.172.x.x  25  x.x.x.x.x

Access-list outside_ in permit tcp any host 24.172.x.x eq 25

Access-list outside_ in permit tcp any host 24.172.x.x eq 2525

access-group outside_in in interface outside

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA: How to connect server with a external IP address already as

Both 24.x.x.x address are on the same subnet. They are public IP addresses.

I have a outside, inside, and dmz namifs

I only have a ip address assigned to the outside and inside interface.

ASA: How to connect server with a external IP address already as

Hello Jason,

I know both 24.xx.xx.xx are on the same subnet, the ASA got to have different ip address configured on each interface ( it will separate the broadcast domain) unless you have an asa 5505 witch I think is the one you have.

Ok so to if you want to create this task this is what you need to do:

To allow just inbound traffic to the servers

-Provide a different private ip address to each server locally

-Create a port-forwarding rule for each server ( nat the local private ip address to the 24.x.x.x on the outside)

-Allow inbound access to the public ip address/port those servers on the outside.

To allow bi-directional traffic:

-Do a static one to one (Private ip address of the server / Public)

-Allow inbound access to the public ip address.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA: How to connect server with a external IP address already as

Thanks for your help but I'm having a hard time following what you are trying to say. The IP scheme can not change and I know how to NAT private IP space for a DMZ.

I think the soultion would be to put a switch connected to the modem and then connect the ASA and spam server to the switch.

ASA: How to connect server with a external IP address already as

Hi Jason,

Based on your diagram -

Internet is your 'Outside' interface for the ASA (IP- 24.172.x.x)

DMZ will be another interface and the IP for the interface will be something like 10.x.x.x and all the hosts/server on DMZ will have ip 10.x.x.x.x with ASA DMZ interface as gateway. In general, the servers in the DMZ will be advertised to Internet with your public IP (24.172.x.x) using 'Static Nat' statements.

Inside is your Users segment / LAN.

So now the question is what is the physical address assigned to SPAM filter server? If it is 24.172.x.x- then you need to modify the diagram- as it is on the 'outside' interface of the ASA.

Being said that- Julio already provided you with solution. If you still have issues, please post correct topology.

hth

MS

New Member

ASA: How to connect server with a external IP address already as

Correct soultion:

Add a switch after the internet modem and connect the ASA and the spam filter to the switch. Then add a ACL to allow the spam filter's IP address to come to the inside network.

1454
Views
1
Helpful
8
Replies
CreatePlease to create content