Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5515-X multiple external IP but 1 gateway

Hello All,

I have a ASA 5515-X which is currently connected to a cable modem via  Gi0/0. Gi0/0 is configured as DHCP to receive a dynamic IP from the ISP. It is currently working and users within the LAN are able to get out on the internet.

I requested a block of IP addresses the  from the ISP and was given 5  class A IP addresses that can be used to now connect externally on the internet. My reason for the requesting the block of IP addresses is due to the fact that users and vendors are asking for remote access i.e.: VPN client and Site-Site VPN

ASA 5515-X has 6 Gigabit Ethernet interface

Interface Gi0/0 will now be configured with one of the given class A IP address. 23.38.X.3/29

I have one vendor who has requested access to the network who has 2 NICs. The vendor requires one NIC connected to (only) the VLAN of interest and the second NIC needs to used one of the external  class A IP address. 23.38.X.4/29.

My questions for the community are : What are the steps or best practice involved in allowing the the vendor's appliance access or reachability through the ASA 5515-X firewall to vendor IP 23.38.X.4/29?

ACL and network objects etc. CLI examples is fine for me.

IP address 23.38.X.3 will be the the  ASA 5515-X firewall gateway on Gi0/0  to the internet >>> LAN Port of ISP Router EMG2926-Q10A>>>ISP WAN Port>>>Cable Modem>>RG6 cable.

Gi0/1 currently has an IP address of 173.28.X.1 >>> to Core VLAN with an IP address 173.28.X.2

Gi0/2-Gi0/5 are not currently in use for anything i.e.: no DMZ

Your assistance on this is all appreciated. 


Tags (edit): asa_multiple_external_ip_but_1_gateway

New Member

hello csco10015518,

hello csco10015518,

i think your problem solve using NAT , use default-getaway your firewall int g0/1 for internal user and default-route is your external interface (g0/0) .

New Member

Create a DMZ network using

Create a DMZ network using one of the other interfaces - G0/2 for example - and configure it for some private IP network like

Then add the external NIC of the vendor appliance to that network, e.g.

Then configure NAT to translate one of your public IPs to that DMZ address, <--> 23.38.x.4/29.


CreatePlease to create content