Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
LAN > ASA5505 > VDSL Modem > ISP
the range they have given us is
Number of IP addresses: 8 IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47 Subnet mask: 255.255.255.248 Subnet in slash notation: XX.XX.XXX.40 /29 Network address: XX.XX.XXX.40
i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
Since you have the public subnet pointed to your asa outside interface ip from your isp..... so you do not need to worry about anything..... you can use other ip addresses for your NAT/PAT.... for testing you can remove the NAT statement as interface to a different ip in that stack....
say nat (inside,outside) dynamic <x.x.x.41>
It will work.... in case if you want to use the spare ip address for a servers inside the network.... you need to do the static nat.... for those servers with that ip range..... allow the required traffic to the server on outside interface acl....
In a scenario like yours, it's very likely that the provider has routed the extra network to your PPPoE assigned address. with that you need three config-elements (I assume you are running an actual ASA v8.4 or newer):
NAT-statements for your servers
ACL-staement on the outside-ACL to allow the communication
the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
the nat rules i have are
nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100 nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :