Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
2
Replies

How to configure ASA5512X DMZ with a Public IP address?

kkwaskcisco
Level 1
Level 1

‎08-10-2014 02:43 PM - edited ‎03-04-2019 11:31 PM

Hi;

I hav a ASA5512X firewall with 6 interface, interface 0 has been assigned to a WAN connectivity with ADSL, in which my ISP gave me two static IPs (not a block range of IP), my ISP mapped the Mac address of an interface to a ip address, this is what they called "Dynamice-Static" which is likely you research a mac address of an device on DHCP server, then it always giving you the same ip address.

Here is the scenario, in order to have the 2nd static IP, I need to give them the mac address of another interface on ASA5512x.  I am thinking to give them the interface mac address of interface #3,  however; the public ip address assigned to interface 0 is a WAN and the public ip address assigned to interface 3 will be on the same subnet from ISP, in this scenario, any problem and limitation, also; can I create a nat to translate the public ip on DMZ to one of the host in inside LAN?

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎08-11-2014 12:11 PM

I am probably not understanding some parts of your explanation and so my suggestion might be on track or it might not be. The idea of the ISP providing two addresses within the same subnet, and wanting to reserve the addresses based on MAC address would make some sense if you had two devices connected via switch to the ISP. I can not understand how it would work to try to have both addresses on the same device. I do not know of a way to assign an IP address to the WAN interface of the ASA and to assign an IP of the same subnet to some other interface of the ASA.

 

I could understand using the second address as an address to NAT with on the ASA. But I am not sure if that is what you have in mind.

 

HTH

 

Rick

HTH

Rick
0 Helpful

enelson11
Level 1
Level 1

‎08-11-2014 01:09 PM

What are you trying to do? What is the purpose of the second public ip? You can use that guy for any number of things. One to one NAT for one thing or another is most common [mail server, web server, RDP terminal, ect]. All of those would go over the same interface to get out to the internet.

 

Dynamic-Static is PAT. One IP address, multiple clients using different ports. Simliar to NAT, but different in how the translation is handled.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html#wp1078939

 

SOOOO To answer what you are asking, just give them the MAC of the Interface 0. You can't have overlapping IPs on the interfaces. Won't work. Also if nothing is plugged into that interface, that IP won't do you any good. You could have a DMZ switch that your ASA and ISP link into, and have that second IP assigned to a device you plug into that DMZ switch. I've had to do that with some VCS servers to get Jabber working on it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card