Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISA550 secondary WAN IP address

I've a broadband connection which my ISP is providing 5 static ip addresses and I wish to assign one of those addresses to the ISA550 itself.

The primary connection is established via a PPPoE connection and a dynamic ip address is assigned to the WAN interface. I need to assign a secondary address to the WAN interface from my static pool so that I have a static address to establish VPN tunnels.

On a Cisco router/Juniper firewall I can assign one of those addresses as a secondary address however I'm not seeing a way to do this on the ISA550. It is possible?

Everyone's tags (2)
9 REPLIES

ISA550 secondary WAN IP address

There is no way to set a secondary IP on a WAN interface in the ISA500.  However one thing you could try, if your ISP's device has multiple interfaces is to setup the ISA for Dual WAN, connect the second WAN port to the ISP device and assign one of the static IPs to the WAN2 interface.  Not sure if it will work, but worth a try,

As well, have you tried not using PPPoE and just using Static IP's to see if it works with your ISP?  I have to admit that I haven't come across this kind of Dynamic IP Assigned via PPPoE with Static's on the backend.  It's kind of a weird way of doing it with a lot of unnecessary overhead on their part, not to mention a waste of IP space.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

ISA550 secondary WAN IP address

Thanks Shawn, unfortunately the VDSL modem they supply only has a single Ethernet connection so cannot try the dual WAN suggestion. Not sure why they have it architected in this way but I guess they must have their reasons - this is BT, so not some tiny ISP.

BT give the option to have a single static IP or a block of 5. I may have to just use the single IP option and use port forwarding for inbound services into the DMZ as luckily I don't have anything clashing for this particular requirement. For more advanced projects I guess I'll have to look elsewhere for a UTM.

Re: ISA550 secondary WAN IP address

Another potentially dumb thought. ;-)
I wonder if you could put a switch between the ISA and ISP device and still leverage PPPoE on WAN1 and Static on WAN2 to make it work. Might be worth a try.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

ISA550 secondary WAN IP address

Perhaps the modem can do the PPPoE login and you have the 5 addresses between the modem and the ISA?

If not, then you only have a NAT pool for adresses, or you create a new zone (not DMZ) with these public adresses, since they will be routed via your PPPoE address

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Re: ISA550 secondary WAN IP address

Michael,
That is a good thought on trying to do PPPoE via the ISP modem. I had also thought about suggesting he put those 5 IPs on a DMZ, but his need for the ISA to be a VPN peer requires a static address on one of the WAN interfaces.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

ISA550 secondary WAN IP address

Yep, 5 addresses means it's a /28 net. So the modem should be the gateway, network- and broadcast address reserved. I think best practice is to let the modem do the login and give it the first address on the LAN side.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

ISA550 secondary WAN IP address

I think what you want is a Static NAT rule,

which is supported on this device.

Configuring Static NAT Rules

Static NAT creates a fixed translation of a real address to a mapped  address. Because the mapped address is the same for each consecutive  connection, static NAT allows bidirectional connection initiation, both  to and from the host (if a firewall rule allows it). With dynamic PAT,  on the other hand, each host uses a different address or port for each  subsequent translation, so bidirectional initiation is not supported.

Up to 64 static NAT rules can be configured on the security appliance.  You must create firewall rules to allow access so that the static NAT  rules can function properly.

Hope this helps,

dlm...

http://www.cisco.com/en/US/partner/docs/security/small_business_security/isa500/administration/guide/ISA500_firewall.html#wp1249135

New Member

ISA550 secondary WAN IP address

or to add a second via IP alias

Configuring IP Alias for Advanced NAT rules

A single WAN port can be accessible through multiple IP addresses by  adding an IP alias to the port. When you configure an advanced NAT rule,  the security appliance will automatically create an IP alias in the  following cases:

Use Case: The inbound interface (From) is set to a WAN port but the original destination IP address (Original Destination Address) is different with the public IP address of the selected WAN port.

For example, you host a HTTP server (192.168.75.20) on your LAN. Your  ISP has provided a static IP address (1.1.1.3) that you want to expose  to the public as your HTTP server address. You want to allow Internet  user to access the internal HTTP server by using the specified public IP  address.

ia IP alias

New Member

ISA550 secondary WAN IP address

The IP Alias / Static NAT should work for my internal clients but it doesn't unfortunately solve the VPN issue where the ISA only seems to allow VPN termination on the WAN interface - which doesn't have a static address.

This is easy to solve on an IOS device - create a loopback for the /28 network I have statically assigned, use one to one static NAT for any internal hosts, and terminate the VPN on the loopback interface.

I've been searching around to see how others have solved this issue with other devices, it appears some Linksys routers allow you to configure the WAN interface as PPPoE and automatically received the correct default gateway but you can override the IP address with a self configured one which apparently works however the ISA doesn't allow you to do this either.

1402
Views
0
Helpful
9
Replies
CreatePlease login to create content