Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Advise needed on ASA5520 config.

I am currently in the process of migrating my old IP440 based Checkpoint firewalls to ASA5520s and have come across a major headache.

I have a number of websites which reside on 2 DMZ webservers. Currently the webservers and each website have an address from the private DMZ subnet. The websites, however, also have an address from my public address pool so that they can be accessed by IP from outside and also for SSL. This is achieved on the Checkpoint by binding the legal IP address to the outside interface and using NAT to the DMZ.

I an struggling to see a way to implement this on the ASA. There doesn't appear to be a way to have multiple addresses on the outside interface and I can't see anyway around it.

Have any of you come across similar configurations where websites reside on a private-range DMZ but are accessed from outside by a unique legal IP?

Community Member

Re: Advise needed on ASA5520 config.

The ip address doesn't have to reside on the physical outside interface in order for you to NAT the address. You simply create a "static" for each one of your webservers. For example your dmz private address is and your public is x.x.x.x your config would be.

static (dmz,outside) x.x.x.x netmask

You would then use an access list to open the necessary ports to the x.x.x.x address.

Community Member

Re: Advise needed on ASA5520 config.

Also, make sure proxy-arp is enabled on your outside-interface

CreatePlease to create content