Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Multple Public IP's to Mutiple inside IP's.

Hello,

I have a situation where I am replacing a SonicWall FW with an ASA 5510. I have a several Public IP's assigned to several systems in the DMZ.

For example, the outside interface address is 66.100.0.2

I have OWA (443) on 66.100.0.3 > 10.10.20.3

Sharepoint (443) on 66.100.0.4 > 10.10.20.4

Company WebSite (80) 66.100.0.5 > 10.10.20.5

Public IP's are just examples

Not sure how the SonicWall did it, but we are able to get to all our resources as described above.

Is it possible for the ASA to handle this?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Multple Public IP's to Mutiple inside IP's.

State NAT:

static (DMZ,outside) 66.100.0.3 10.10.20.3

static (DMZ,outside) 66.100.0.4 10.10.20.4

static (DMZ,outside) 66.100.0.5 10.10.20.5

or

Static PAT:

static (DMZ,outside) tcp 66.100.0.3 443 10.10.20.3 443 net 255.255.255.255

static (DMZ,outside) tcp 66.100.0.4 443 10.10.20.4 443 net 255.255.255.255

static (DMZ,outside) 66.100.0.5 80 10.10.20.5 80 net 255.255.255.255

You also have to allow permission in the acl applied on the outside interface to allow tcp 443 and tcp 80 to these public IP addresses from any source on the internet.

example:

access-list outside-acl permit tcp any host 66.100.0.3 eq 443

access-list outside-acl permit tcp any host 66.100.0.4 eq 443

access-list outside-acl permit tcp any host 66.100.0.5 eq 80

access-g outside-acl in int outside

Cisco Employee

Re: Multple Public IP's to Mutiple inside IP's.

John,

Your ISP provided you the public addresses. It is their responsibility to bring the traffic destined to the ASA's outside address as well as other addresses that we added in the static commands to the outside interface of the ASA. Once the traffic arrives on the ASA the ASA will take care of sending the traffic to the appropriate servers on the DMZ.

Piece of cake !!

5 REPLIES
New Member

Re: Multple Public IP's to Mutiple inside IP's.

hi, that is possible in ASA

Cisco Employee

Re: Multple Public IP's to Mutiple inside IP's.

State NAT:

static (DMZ,outside) 66.100.0.3 10.10.20.3

static (DMZ,outside) 66.100.0.4 10.10.20.4

static (DMZ,outside) 66.100.0.5 10.10.20.5

or

Static PAT:

static (DMZ,outside) tcp 66.100.0.3 443 10.10.20.3 443 net 255.255.255.255

static (DMZ,outside) tcp 66.100.0.4 443 10.10.20.4 443 net 255.255.255.255

static (DMZ,outside) 66.100.0.5 80 10.10.20.5 80 net 255.255.255.255

You also have to allow permission in the acl applied on the outside interface to allow tcp 443 and tcp 80 to these public IP addresses from any source on the internet.

example:

access-list outside-acl permit tcp any host 66.100.0.3 eq 443

access-list outside-acl permit tcp any host 66.100.0.4 eq 443

access-list outside-acl permit tcp any host 66.100.0.5 eq 80

access-g outside-acl in int outside

New Member

Re: Multple Public IP's to Mutiple inside IP's.

Wow, is it really that easy? How does the traffic even know to get to the ASA from these other public IP's if the outside interface of the ASA is a different Public IP?

Outside is 66.10.0.2

So if I'm a user somewhere and I make a request to 66.10.0.5, how does it know to go to 66.10.0.2 to get there?

Thanks for the help!

New Member

Re: Multple Public IP's to Mutiple inside IP's.

It's all in the IP Block you got from your ISP. e.g say they give u block 66.39.100.0/29 then u got 6 usable public IPs, 66.39.100.1 - 66.39.100.6, in theory. So all internet traffic destined to any of those 6 IPs will be routed to your location... i.e. https://mail.company.com could reslove to 66.39.100.1 or http://www.company.com could be 66.39.100.2 and 66.39.100.3 could be the outside IP of your ASA etc...... This could also be setup slightly different but i'm sure you got the point.

The ACL actually opens the port for traffic to enter into the ASA from the outside interface as the ASA doesn't allow traffic from a lower security interface (outside) to reach a higher security interface (DMZ, Inside etc) by default...

NAT/PAT statements on the ASA are always confusing to me :) the always seem to be in the wrong order. In simple terms static NAT translates the real address (10.10.10.2) to a mapped address that is routable e.g 66.39.100.2. PAT is slightly different...

These will help understand static nat/pat and ACLs...

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Donavan

Cisco Employee

Re: Multple Public IP's to Mutiple inside IP's.

John,

Your ISP provided you the public addresses. It is their responsibility to bring the traffic destined to the ASA's outside address as well as other addresses that we added in the static commands to the outside interface of the ASA. Once the traffic arrives on the ASA the ASA will take care of sending the traffic to the appropriate servers on the DMZ.

Piece of cake !!

142
Views
5
Helpful
5
Replies
CreatePlease to create content