Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Static Nat & 8 public ip's on PPPoE


my ISP has given me a block of 8 static ip's. I am using an ASA 5505 to connect to the ISP.

However this is over PPPoE and as I understand, I can only use 1 ip for the outside interface with PPPoE.

I have managed to use the other ip's with static natting to translate a public ip to a private ip and it's working well.

Can I translate one of the the public ip's to the same public ip rather than to a private ip?

eg If I have a web server, rather that nat the public ip on the ASA to the web server private ip, just give the server the public ip and the ASA will translate to that?




Cisco Employee

Hi Louis,One question to

Hi Louis,

One question to clear my doubts: When you check the IP address assigned to the PPPoE connection on the ASA, is it one of the 8 static IPs assigned by your ISP, or is it a different IP address? I suppose you have your PPPoE connection configured with ip address negotiated instead of a static address.

If it is a different IP address then what your ISP does is assign your ASA an address and route the entire /29 subnet over that assigned address. That would mean that your ASA does not need to do any NATting whatsoever - it can have one of its other interfaces configured with the appropriate /29 subnet and simply act as a router between the public static /29 subnet and the ISP with its outside interface being the PPPoE interface with just some irrelevant IP address assigned by the ISP automatically.

Best regards,

New Member

Hi,I have set the router ip


I have set the ASA ip statically. When I do this on the ASA, it does not give me the chance to put a /29 in as even though I can enter it, it will revert the PPPoE to a /32 which is by design.

Now, when I've used pfSense, Sophos etc in the past, you simply add ip aliases to the interface and then go from there but  I understyand in the Cisco world, things don't quite work this way.

I'm just wondering how to get the ip's into the ASA as they are rather than natting them to a private ip.

Cisco Employee

Louis,You are talking about a


You are talking about a router and about an ASA. I am confused - do you have both a router and an ASA on your premises connected together? I believe that a diagram of your network would be helpful.

Regarding the /32 netmask on the PPPoE interface, that is understandable as the connection is point to point by design. However, I am specifically asking if the ASA supports the ip address negotiated command instead of configuring its PPPoE interface with a static address. The point is to have ISP assign your ASA an address automatically via IPCP, and route the static range via this assigned address.

Best regards,

New Member

Hi,I've now assigned it via


I've now assigned it via negotiated which basically comes back as what I'd set statically.

I agree the ISP must route the block of IP's via this as static nat is working.

What I have is a Sophos UTM which does an exellent job of mail filtering so I'm trying to find how I would fit that into the network without double natting ie give the external interface one of the public ip's  even though it's sitting behind the front facing ASA.

So behind the ASA is an exchange server which should go to the Sophos UTM and then to the ASA.

Hi, /32 is being set for the



/32 is being set for the PPPoE is a design and why you want to have a public ip to public ip NAT..... eventhough it is been showing as /32 but your isp would have routed the whole /29 towards your ASA which you have procured... but if you want to use a direct public ip, then you have create a seperate zone on cisco asa, which should have a public ip configured to it and you have to exempt that from NAT to disable NATing for that public ip.... but that is not the best model.....




CreatePlease to create content