Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Multiple public IP addresses

ASA newb here.  This question has been asked before but the configurations seem to be different so they don't really answer my question.  I think mine is pretty simple but I can't find a clear "this is what you do" answer.  I've been reading the Cisco doc's trying to figure it out but they have so many different scenarios and examples that its a little overwhelming.  Plus none of the seem to match mine 100%.

ASA 8.4

I have 6 public ip addresses and want to use 2 of them.  I have two servers running an application that needs port 1234 accesable externally for updates.   Can't change port numbers and obviously can't route 1234 two different places. 

Say my range is 4.4.4.4 to 4.4.4.10.  I want to use 4.4.4.4 and 4.4.4.5.  My network currently looks like so:

4.4.4.4 <--> ASA <--> 192.168.0.0/24

I want:

4.4.4.4,4.4.4.5 <--> ASA <--> 192.168.0.0/24

Any ideas?

13 REPLIES

Multiple public IP addresses

Steve,

What are you trying to do by having two IP addresses on the outside interface?  Is this just for the servers?  Depending on what you are trying to do, there are a couple of ways to do this.

Please give a little more information and we will be more helpful.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Multiple public IP addresses

Just for the two servers.  I have two servers with the same software running on port 1234.  They both need to be accessable externally. 

Multiple public IP addresses

Steve,

You can do this with a static NAT for your two servers on that specific port.  It would look kind of like this:

static (inside,outside) 4.4.4.4 192.168.X.X 1234 netmask 255.255.255.255

static (inside,outside) 4.4.4.5 192.168.X.X 1234 netmask 255.255.255.255

Or if you want to set them up to use the outside interface only on that port you can do that too.

static (inside,outside) tcp interface 1234 192.168.X.X 1234 netmask 255.255.255.255

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Multiple public IP addresses

He is running 8.4, so the nat is different.

Create an object for each server inside IP and outside IP, then you create the nat statement to tie them together, then create the outside ACL to allow that port access from any source, the destination will be the REAL ip of the server, not the public IP.

object network server1

host 192.168.1.4

object network server2

host 192.168.1.5

object network server1-outside

host 4.4.4.5

object network server2-outside

host 4.4.4.6

object network server1

nat (inside,outside) static server1-outside

object network server2

nat (inside,outside) static server2-outside

Multiple public IP addresses

I am sorry I totally missed the fact that he is running 8.4.  You are so right on the money and this is also why he is getting the errors on the adding the older style static nat.

Thanks and good catch.

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Multiple public IP addresses

if i go the object route as tahequivoice suggested i get:

ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded

New Member

Multiple public IP addresses

i get an error. invalid input detected and the marker is pointing at netmask

New Member

Multiple public IP addresses

Use the ASDM it is SO much easier for a NOOB when it comes to 8.3/8.4,  In the ASDM under firewll, the right hand window lists the objects. Create the object there as I described, then when all are done, click on the inside server, expand nat, choose static, and select the outside one you want to use. Clieck advanced, then slected the interfaces, and click OKAY

Apply and you should be all set. Dont forget the ACL and use the REAL IP.

New Member

Multiple public IP addresses

BTW NooB not meant to offend, EVERY one who goes from 8.2 to 8.3 is a NooB.

New Member

Multiple public IP addresses

none taken.

Let me make sure i've got this right.  I'll describe what i see in ASDM.

Line 1:  Source Intf - inside, Dest Inft - Outside, Source - server2, Destination - any, Service - tcp/1234, Source - server2-outside, Destination - --Orginal--, Service --Original--

Line 2:  Source Intf - outside, Dest Intf - inside, Source - any, Destination - server2-outside, Service - tcp/1234, Source --Original--(S), Destination - server 2, Service --Original--

I'm not entering your server1 info because I already have that setup and working.

ACL:  Source - any, Destination - 192.168.1.5, Service - tcp/1234, Action - permit

Server2 = 192.168.1.5

Server2-Outside = 4.4.4.6 (my other external address)

New Member

Multiple public IP addresses

It sounds right.   Do a grab from the CLI and then I can tell if it is correct.

New Member

Multiple public IP addresses

object network server2

host 192.168.1.5

object network server2-outside

host 4.4.4.6

nat (inside,backup) static interface service tcp 1234 1234

object network server2

nat (inside,outside) static server2-outside service tcp 1234 1234

New Member

Multiple public IP addresses

i can confirm that this works.  thanks a bunch. 

727
Views
5
Helpful
13
Replies
CreatePlease to create content