Solved: Re: Multiple IP addresses on one ASA 5510 interface?

dathom1093 · ‎03-20-2007

I'm replacing a Symantec (software) firewall with an ASA5510. One of the features of the Symantec is that it allows a single external interface to act as multiple IP addresses, and each of the "virtual" IP addresses to be redirected to different internal hosts.

The multiple external IP addresses are mapped to different (publicly accessible) DNS hostnames, such as "ftp.mydomain.com" and "www.mydomain.com", so it's important that we maintain the ability to support multiple IP addressses on our external interface.

How can I do this with the 5510 ?

huynhkhay · ‎03-21-2007

When you "define a static translation rule for outside address x, port 25 to be translated to inside address y, port 25.", x and y designate both the same host:

- x is the outside address of the host

- y is the inside address of the host

So in your access-list, you don't have to add a rule between x and y (since both designate the same host...) but you have to add a rule between outside hosts and the host x:

if we continue with the same example, it would be something like that:

interface Ethernet0/0

nameif INT_OUTSIDE

security-level 0

ip address 1.1.1.14 255.255.255.0

static (INT_INSIDE,INT_OUTSIDE) 1.1.1.10 2.2.2.10 netmask 255.255.255.255 tcp 25

static (INT_INSIDE,INT_OUTSIDE) 1.1.1.11 2.2.2.11 netmask 255.255.255.255

static (INT_INSIDE,INT_OUTSIDE) 1.1.1.12 2.2.2.12 netmask 255.255.255.255

access-list INT_OUTSIDE_access_in extended permit ip any host 1.1.1.10 eq 25

access-group INT_OUTSIDE_access_in in interface INT_OUTSIDE

With this example, every host on the Outside can access your SMTP server which has:

-one outside address: 1.1.1.10

-one inside address: 2.2.2.10

Hope it helps

View solution in original post

vitripat · ‎03-20-2007

This is possible on ASA.

Lets take an example. Assume you have addresses from 1.1.1.10-1.1.1.14 and you have 3 internal servers with IPs ranging from 2.2.2.10-2.2.2.12.

You want to have 1.1.1.14 as the IP address of ASA outside interface and you want to direct traffic to 1.1.1.10-1.1.1.12 to internal servers. Heres the configuration:

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.14 255.255.255.0

static (inside,outside) 1.1.1.10 2.2.2.10

static (inside,outside) 1.1.1.11 2.2.2.11

static (inside,outside) 1.1.1.12 2.2.2.12

Thus we used IP address command in interface configuration mode to give IP address to the ethernet0 interface of ASA and static commands to divert traffic from rest of the public IP addresses to internal servers.

Hope this helps.

Regards,

Vibhor.

dathom1093 · ‎03-20-2007

Yes, that should work!

One more complication, however: how can I constrain a given tuple (such 2.2.2.10 to 1.1.1.10) to only pass a particular protocol (eg, http)?

BTW: if it's not obvious, I'm a newbie... I just unpacked the 5510 and am trying to determine if I can make it do what we need. The Command Line interface is a bit over-whelming, but ASDM doesn't look like it supports much except basic configuration...

dathom1093 · ‎03-20-2007

Well, I figured-out how to pass a specific protocol, but now I'm stuck on a new problem...

Using the ASDM 5.0 NAT page, I define a static translation rule for outside address x, port 25 to be translated to inside address y, port 25.

Then I assume I need to define a "permit" rule, so I go to Security Policy Access Rules and permit outside host x to inside destination host y, specifying tcp/smtp for both.

But when I try to add the access rule, it says that "No NAT rule is configured for host y on the Inside interface from Outside interface". If I then click OK it configures a new static NAT of Inside Y to Outside Y (yes, the same address!) which makes absolutely no sense.

huynhkhay · ‎03-21-2007

When you "define a static translation rule for outside address x, port 25 to be translated to inside address y, port 25.", x and y designate both the same host:

- x is the outside address of the host

- y is the inside address of the host

So in your access-list, you don't have to add a rule between x and y (since both designate the same host...) but you have to add a rule between outside hosts and the host x:

if we continue with the same example, it would be something like that:

interface Ethernet0/0

nameif INT_OUTSIDE

security-level 0

ip address 1.1.1.14 255.255.255.0

static (INT_INSIDE,INT_OUTSIDE) 1.1.1.10 2.2.2.10 netmask 255.255.255.255 tcp 25

static (INT_INSIDE,INT_OUTSIDE) 1.1.1.11 2.2.2.11 netmask 255.255.255.255

static (INT_INSIDE,INT_OUTSIDE) 1.1.1.12 2.2.2.12 netmask 255.255.255.255

access-list INT_OUTSIDE_access_in extended permit ip any host 1.1.1.10 eq 25

access-group INT_OUTSIDE_access_in in interface INT_OUTSIDE

With this example, every host on the Outside can access your SMTP server which has:

-one outside address: 1.1.1.10

-one inside address: 2.2.2.10

Hope it helps

dathom1093 · ‎03-21-2007

Thank you!

I read Chapters 13-15 of the 7.0(4) Command Line Config Guide last night (more than once), and it slowly sunk in where I had gone wrong. In particular, the statement on p. 13-3 that says "you need to use addresses [in an access list] that are valid on the network connected to the interface."

And your example confirms my (new) understanding.

Thanks again,

DT