Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3264
Views
0
Helpful
6
Replies

Configure second public ip to interface - ASA 5505

Go to solution
Kenzie6964
Level 1
Level 1

‎10-15-2013 01:16 PM - edited ‎03-11-2019 07:52 PM

Is it possible to configure a secondary public IP address on our Cisco ASA 5505. We have 6 available IP's from our ISP and currently only one is in use which holds our VDI sessions.

We then require additional public IP address going into the same network (so ideally on the same interface) that will be for a exchange server...

One thing that i also need... is 443 will need to be routed depending on the public Ip that it comes in on (currently 443 is already in use for the public IP live)

I have ready conflicting reports as to if this is possible or not, which is why I am asking on here. I believe I would configure a secondary ip on the ext interface and then use nat to map the public ip to the exchange server

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Kenzie6964

‎10-15-2013 11:31 PM

Hi,

I imagine that your ISP has provided you with a public subnet of /29 since you mention your have 6 IPs at your disposal.

Now lets look at the 2 common NAT types to allow access to your internal host

Static NAT

Static NAT essentially binds a single public IP address to a single local IP address. This would mean that every TCP/UDP port would be forwarded to the local host when a user connects to the public IP address. Naturally the interface ACL would be used to control what ports are allowed. So if you can spare the public IP addresses then you would configure Static NAT and allow what ports you need.

Static PAT

Static PAT essentially binds a single public port of a public IP address to a single local port of a single local IP address. This is typically used when the user has only a single public IP address at his/her disposal and needs to host services on multiple internal servers.

In your case since you have free public IP addresses the clearest and easiest solution would be to configure Static NAT and use the interface ACL to allow the ports you need on each server.

And to one of your question,

You would only have problems if you were trying to use a single public IP address for different internal servers and forward the same public port to them. For example your mentioned port TCP/80 couldnt be used twice for with a single public IP address.

Though since you were suggesting that you would use a completely different public IP address for other server this means there would be absolutely no problems. You would be using same ports on both IPs but the key thing is that the NAT IP address is different so there is no problem.

Hope this clarifies things and hope I understood your question correctly

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-15-2013 01:26 PM

Hi,

You cant configure a "secondary" IP address on the ASA interface like you are able with Cisco Routers

HOWEVER, this doesnt stop you from using the IP addresses from the current external interfaces connected network as NAT IP address. So interface will hold a single IP address only and rest of them are used only in NAT configurations.

Are you saying that you need Static NAT for some internal IP address only?

I am not sure what you mean with the

One thing that i also need... is 443 will need to be routed  depending on the public Ip that it comes in on (currently 443 is already  in use for the public IP live)

Seems to hint to something other than Static NAT

- Jouni

0 Helpful

Go to solution
Kenzie6964
Level 1
Level 1

‎10-15-2013 11:09 PM

Thanks for the reply,
When you say use for static NAT... Could you clarify what you mean exactly, so for example we have ip addresses:

123.123.123.34 outside interface using ports 80,8080,443,3389

123.123.123.35 to be exchange server needs to use ports 80,443,25,3389

So is it possible to map ports depending on public ips that connections go in on? As 80 is needed by both ips?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Kenzie6964

‎10-15-2013 11:31 PM

Hi,

I imagine that your ISP has provided you with a public subnet of /29 since you mention your have 6 IPs at your disposal.

Now lets look at the 2 common NAT types to allow access to your internal host

Static NAT

Static NAT essentially binds a single public IP address to a single local IP address. This would mean that every TCP/UDP port would be forwarded to the local host when a user connects to the public IP address. Naturally the interface ACL would be used to control what ports are allowed. So if you can spare the public IP addresses then you would configure Static NAT and allow what ports you need.

Static PAT

Static PAT essentially binds a single public port of a public IP address to a single local port of a single local IP address. This is typically used when the user has only a single public IP address at his/her disposal and needs to host services on multiple internal servers.

In your case since you have free public IP addresses the clearest and easiest solution would be to configure Static NAT and use the interface ACL to allow the ports you need on each server.

And to one of your question,

You would only have problems if you were trying to use a single public IP address for different internal servers and forward the same public port to them. For example your mentioned port TCP/80 couldnt be used twice for with a single public IP address.

Though since you were suggesting that you would use a completely different public IP address for other server this means there would be absolutely no problems. You would be using same ports on both IPs but the key thing is that the NAT IP address is different so there is no problem.

Hope this clarifies things and hope I understood your question correctly

- Jouni

0 Helpful

Go to solution
Kenzie6964
Level 1
Level 1

‎10-15-2013 11:51 PM

That's great jouni, it's what I thought but I couldn't fill in the blanks as to what exactly was needed.
I'll look into configuring this today :-)

So just to confirm, I don't need to assign the outside interface with the secondardy ip as the subnet would expect this? (And the Asa's aren't capable of this)

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Kenzie6964

‎10-16-2013 12:05 AM

Hi,

Yes, the interface only has the single public IP address configured. Rest of the public IP addresses are only present in the NAT configuration, that is if you have even configure any NAT using them.

Actually to be more specific, you could configure a NAT IP address from totally different public subnet on your ASA and it would work. (Provided the ISP has provided you with that extra subnet)

This situation comes when an ISP has allocated the user with multiple public subnets. In those cases they will either configure all the public subnets on their gateway routers interface OR alternatively they will configure one of the subnets between their gateway interface and your ASA (just like now) and then just route the additional public subnets towards your current "outside" interface IP address.

Let us know how it goes.

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more though if there is still problem after configuring the NAT

- Jouni

0 Helpful

Go to solution
Kenzie6964
Level 1
Level 1
In response to Jouni Forss

‎10-16-2013 09:55 AM

Thanks very much

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card