Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
285
Views
5
Helpful
2
Replies

Advise needed on ASA5520 config.

ianpdavis
Level 1
Level 1

‎03-07-2006 03:24 AM - edited ‎03-09-2019 02:10 PM

I am currently in the process of migrating my old IP440 based Checkpoint firewalls to ASA5520s and have come across a major headache.

I have a number of websites which reside on 2 DMZ webservers. Currently the webservers and each website have an address from the private DMZ subnet. The websites, however, also have an address from my public address pool so that they can be accessed by IP from outside and also for SSL. This is achieved on the Checkpoint by binding the legal IP address to the outside interface and using NAT to the DMZ.

I an struggling to see a way to implement this on the ASA. There doesn't appear to be a way to have multiple addresses on the outside interface and I can't see anyway around it.

Have any of you come across similar configurations where websites reside on a private-range DMZ but are accessed from outside by a unique legal IP?

Labels:
0 Helpful
2 Replies 2

bbacola
Level 1
Level 1

‎03-07-2006 06:45 AM

The ip address doesn't have to reside on the physical outside interface in order for you to NAT the address. You simply create a "static" for each one of your webservers. For example your dmz private address is 192.168.10.10 and your public is x.x.x.x your config would be.

static (dmz,outside) x.x.x.x 192.168.10.10 netmask 255.255.255.255

You would then use an access list to open the necessary ports to the x.x.x.x address.

r.vdoever
Level 1
Level 1
In response to bbacola

‎03-15-2006 04:19 AM

Also, make sure proxy-arp is enabled on your outside-interface

0 Helpful
Customers Also Viewed These Support Documents