Cisco Firewall :: ASA 5510 - How To Assign Multiple Public IP Addresses
Dec 2, 2010
I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first? I'm doing the config via ASDM.
Everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
View 15 Replies
ADVERTISEMENT
Oct 13, 2011
How do i tell my firewall to start listen also on another outside ipadress assigned by my ISP? I have it used on other firewall right now. So my steps would be shutting down ip address assignment off old firewall interface. Assign that ip address to ASA5510 outside interface and configure NAT.
View 13 Replies
View Related
Sep 8, 2011
Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2).
View 9 Replies
View Related
Nov 2, 2011
I just thought if it's possible to make sure that only approved IP addresses for each of divisions of a company can be used.How can I assign for a port one/more public addresses and be sure that only this port is using it/them. Thing is I have only one 24 bit public Network ID provided to me by ISP. One IP address of the range is used for ISP's gateway. So I have 253 addresses to be distributed among divisions. However to avoid IP address conflicts I have to be sure that only dedicated for a division IP address/es is/are used by the division.
Router is 2821.
Switch is 2950.
View 11 Replies
View Related
Nov 20, 2011
I have a peculiar situation where I need to assign a public ip to a computer without going through firewall (for testing purpose).
I have the leased line going through a 3750 switch to the ASA 5510(15.240.1.2/30) belonging to vlan 999. ASA has default route going to 15.240.1.1/30(ISP).
I have different public ip range for LAN and WAN My WAN ip is 15.240.1.0/30, LAN ip range is 15.240.2.24/27 nated by ASA..
I want to connect the PC to the switch port belonging vlan 999 and ip address of 15.240.2.26/27.
If yes, what will be the gateway for the computer?
View 3 Replies
View Related
Nov 23, 2011
I would like to configure an 877w I just bought. It's connecting to a UK ADSL2+ link.I'm a penetration tester and I want to put the Cisco router in front of my existing firewall which has an IPS on it, so that it doesn't get in the way of port scans and vulnerability scans. My ISP has issued me with 14 usable addresses a/240 subnet and basically I want to be able to use the route with just the public IP addresses. I have configured Cisco routers before, but never with this type of configuration. It's always been single public IP address NAT'd through to one or two internal LAN's.
It will be nice if I could assign the wireless and fast ethernet ports to the same VLAN using the public addresses. I don't want to use DHCP I'm quite happy statically assigning IP addresses to the computers wireless and LAN interfaces. I am reasonably certain this is possible because not sure how to do it and a little busy at the moment carrying out penetration tests.
View 7 Replies
View Related
Feb 20, 2012
Is it possible to have multiple public IP addresses that are from different subnets going through one router? I have been told that this is not possible with most routers and that I would have to spend a lot of money on a router to be able to do it. I am still not totally clear on what defines a subnet even after reading up on them. What I am trying to achieve:
-My office has 10 computers.
-All would be connected to one router.
-My internet service provider has provided me with 10 public IP addresses, that are all very varied (which I asked for)
View 3 Replies
View Related
Mar 11, 2013
If there are any small business routers that offer one-to-one NAT? I have several public IP addresses assigned to me by CenturyLink. I have two servers that provide email and web hosting for two different domains. I want to put the client machines on one VLAN (VLAN Z) and assign it a public IP address (to keep server traffic separate). I want to put each server on its own VLAN (VLANs X & Y) and assign each server its own public IP address. I need the router to be able to provide a firewall and port forwarding for each VLAN. I also need to be able to route traffic between VLANs so the clients on VLAN Z can access their email and the websites on VLANs X and Y. I also need to be able to route DNS traffic between VLANs so each server can provide name resolution for their respective domains.
So, is this possible with a small business router or do I need to look at something different? I'm fairly certain this configuration is not possible with my current Cisco RVS4000. What it boils down to is I need a router that is capable of having multiple public IP addresses on the same interface and to forward those public addresses to private VLAN subnets. This would be one-to-one NAT if I understand it correctly..
View 5 Replies
View Related
Aug 22, 2012
The client has a Cisco RVS4000. There are 3 Internet devices need to be accessed from the outside and will use one public IP for one device. I don't see any options to setup on Cisco RVS4000 to do 3 NATs. If Cisco RVS4000 doesn't work in this situation, which router will do?
View 1 Replies
View Related
Aug 3, 2011
I have a customer that has an RSV4000 Router. The customer has also purchased a block of 5 usable public IP addresses. I need to be able to assign these public IP addresses to printers either by configuring a static IP on each printer directly or thru IP mapping or some other method. Does the RSV4000 support using multiple public IP addresses and if so what configuration is needed in the router for the printers to be seen by the outside world.
View 2 Replies
View Related
Aug 9, 2011
I have a Netgear ProSafe VPN Firewall FVX538. But I also have 10 Public IP Addresses that I will like to setup for three web services. So how do I set this up. With multiple routers. Or can my Netgear FVX538 take multiple Public IP Addresses to the same ports. If not how can setup multiple routers. one being the main one.
View 1 Replies
View Related
May 6, 2011
I have a PIX 515E that I want to use to as a border between my internet connection and my Cisco AIR1131AG. I have configured the PIX to have the outside interface as a dhcp client which gets its dynamic IP address from the cable modem. the AP is connected to the E1 inside interface. Now I could see the E1 interface from the arp table from the AP but I cannot ping it. From the firewall I don't see the ARP table from the firewall. and i cannot ping the AP. what is wrong with the configuration? side note, i am able to connect to the AIR1131AG from my laptop I was not able to retrieve an IP address.
FW1 - CONFIGURATION
interface Ethernet0 description uplink towards the techsavvy modem speed 100 nameif outside security-level 0 ip address dhcp setroute !interface Ethernet1 description >>> WIFI LAN ACCESS <<< nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0
[Code].....
View 3 Replies
View Related
Sep 9, 2012
I would like to create two site-to-site VPNs, one for data and one for VoIP, between the same sites. One end is an ASA 5510 and the other is a third party firewall. Is this possible if I use different sets of IP addresses for each tunnel?
View 3 Replies
View Related
Feb 29, 2012
I just bought an SA520 to replace my existing FW.
The thing is that I have private IP adresses on my LAN, and I have been issued a public IP network for my DMZ by my ISP.
Meaning I want to NAT my LAN but not my DMZ, but I can't seem to find a way in the 520 to do that. I can only find the oprion to turn off NAT all together.
View 1 Replies
View Related
Apr 21, 2013
I am trying to figure out how this works. I have an ISP device that connects to my 1841. ISP and fa0/0 hold the /30 WAN addresses. Fa0/1 hold one of the public IPs, lets say 1.1.1.1/29. Then the outside interface of the ASA holds 1.1.1.2/29. Now I have two routes in the 1841, one for default route going back to the ISP device, and a route for the 1.1.1.0/29 network going to the ASA.Now I have 4 more publics I can use 1.1.1.3 - 6. I do not want to assign these IPs to the servers, but yet just NAT them. I know this is possible, but cant figureI took an internal host and did a one to one static NAT from private to public. Packet tracer says my NAT rules are ok. Allowed all IP traffic for testing and still can't ping the server.
View 3 Replies
View Related
Apr 28, 2013
I have ASA 5520 with Ver 8.2.Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.I did Static NAT 198.24.210.226 to 192.168.1.20 and 198.24.210.227 to 192.168.1.91.When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.I checked the inside traffic, it even did not get into the firewall.Is this the problem with ISP's router? How can we route all of our public IP's to the outside interface(198.24.210.226)?
interface GigabitEthernet0/1nameif insideip address 192.168.1.1 255.255.255.0security-level 100no shutdown
interface GigabitEthernet0/0nameif outsideip address 198.24.210.226
[Code].....
View 9 Replies
View Related
Mar 9, 2013
I have three public IP:s from /24 network like 83.x.x.10, 83.x.x.25 and 83.x.x.41 all using netmask 255.255.255.0.
I'm using 83.x.x.10 on ASA outside interface and trying to do static nat for inside servers with those other IP:s, but not yet solved it.
Using Cisco ASA 5505 software v9.02
Config:
object network obj_guest
nat (guest,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
object network w2008
host 192.168.1.10
[code]....
This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...
It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.
View 4 Replies
View Related
Oct 16, 2012
I have ASA 5520 with Version 8.2(5), the ISP give me a block of IP pubic (201.148.156.193/28), one IP valid (201.148.156.194) have the Global NAT (all users LAN) and server FTP, but i need that IP 201.148.156.195 is used for VCSe, and the IP 201.148.156.196 is used for other server FTP.
View 5 Replies
View Related
Sep 10, 2011
Attached is my updated ASA 5505 (8.4[2]) config. With this config, basically the "laptop" group works fine, but the leo and orion groups don't ever receive packets inbound. No DNS, nothing.
The laptop is windows, the other two are servers with two NICs. The interface cards are Intel Pro/1000s. I've been through everything including Vlan protocol conflicts and actually enabled the servers for 802.1(Q).
View 19 Replies
View Related
Apr 30, 2013
I am trying to get two external addresses to PAT to different ports on the same address in the dmz.
Object NAT is configured as follows:
object network Obj-192.168.1.20-1
nat (dmz,outside) static Obj-External-1 service tcp https https
object network Onj-192.168.1.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
Obj-192.168.1.20-1 and Obj-192.168.1.20-2 contain the same host address.
The idea being that traffic destined for Obj-External-1 on port 443 will be forwarded to Obj-192.168.1.20-1 on port 443. Traffic for Obj-External-2 on port 443 will be forwarded to Obj-192.168.20-2 on port 2000.
Traffic for the first object, Obj-192.168.1.20-1, works but traffic for the second does not.
View 5 Replies
View Related
Oct 6, 2011
if possible with the RV042.Primary External IP address uses port forwards for some ports, all okay.I would like to have other external ip addresses assigned to machines on my lan.Basic host multiple web servers, on different IP addresses, using port 80. [code]
From what i am reading, it looks like the RV042 can do this, but I am not real clear what my rules should look like.
I would think my high priority rule for each external IP address would be to deny all traffic first for each machine on the lan.Then create one entry with source 202.x.x.2 port 80 -> 192.168.168.2 ?
How should I set my rules to do this, and what settings should I have on the Nic of the second machine?
View 3 Replies
View Related
Jun 21, 2012
ASA 5505 Firmware 8.3(4), ADSM 6.4(2).I have a public IP address of 168.87.3.4.I need to forward ports (5060, 5080, etc.) to one internal address. (192168.1.1).I need to foward different ports (10020-10080) to a different internal address (192.168.1.2) Everything I read tells me how to do this in a 1 to 1 static NAT.
View 1 Replies
View Related
Jun 22, 2011
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
View 7 Replies
View Related
Jul 28, 2011
I have a request to establish a site to site VPN with a customer. While collecting the information I give them our local network subnet which is a private subnet (192.168.5.0). They asked me if I could give them a public address instead. They can not work with the 192.168.5 subnet. Is this possible?
My side of the VPN is an ASA 5505 running 8.2(2). The other side i believe is a Checkpoint.
View 5 Replies
View Related
Jul 12, 2011
I have an ASA5510 running version 8.4. ICMP is blocked from the internet to the outside interface of our firewall but now our ISP is requesting us to allow ICMP from their network to the outside of our ASA. I need to allow ICMP from three blocks of IP Addresses?
View 9 Replies
View Related
Mar 16, 2011
we have hosted voip and would like have our internet as back for their router. We gave them public static ip so they can configure that in their router. How can i configure the ip address in our firewall let say on asa5510 ethernet port 3 so if their router T1 goes out then our internet will work as backup.
View 4 Replies
View Related
Jul 22, 2012
I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have 192.168.101.0/27 private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.
View 9 Replies
View Related
Aug 31, 2011
i just got an extra public subnet from our ISP (co hosting center) But I can't figure out how to use them on my ASA.
New:
IP-adresses: 87.1.1.194 - 87.1.1.254
Default gateway: 87.1.1.193
Subnetmask: 255.255.255.192
Old:
IP-adresses: 200.1.1.34 - 200.1.1.46
Default gateway: 200.1.1.33
Subnetmask: 255.255.255.240
Config:
route wan 0.0.0.0 0.0.0.0 200.1.1.33 1
And statics like:
static (interface,wan) tcp 200.1.1.37 3389 192.168.3.100 3389 netmask 255.255.255.255
View 22 Replies
View Related
Sep 5, 2012
We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.
View 7 Replies
View Related
Mar 3, 2013
I have DMZ n/w 192.166.0.0/24 on which i have nated on public ip
-private ip : 192.16.0.201 (OWA)
-public ip : 61.x.x.x.
when i try to access owa(public ip ) from dmz it is not allowing , From what rules i need to set to get work ASA 5510 8.2
View 13 Replies
View Related
Oct 17, 2011
We have an issue with some NAT on an ASA 5510. Here is a simplified drawing of the ASA setup:So the issue is when we try to send traffic from 172.16.3.251 to 1.1.1.1 we got this message in the log:
Oct 18 2011 12:32:12: %ASA-3-305006: portmap translation creation failed for udp src inside
172.16.3.251 /37166 dst outside:1.1.1.1/23
It looks like there is an issue with NAT but maybe is cause of the DUAL ISP setup as packets are routed through the outside interface and not IPtelefoni_outisde?
View 13 Replies
View Related
May 7, 2012
I have a new 5510 which I have upgraded to 8.4(3). I have a /29 subnet from the telco on my outside interface. I have 6 subinterfaces on a dot1Q trunk on my inside interface. The customer requirement is to have two servers in a DMZ which have public IP's from the /29 subnet. The customer will not give the servers a new IP address so we are stuck with the two public IPs in the DMZ. I thought I would need a bridge group and bridge the outside, two DMZ interfaces but I read that bridging requires the firewall to be in transparent mode and then it won't support VPNs - this is not an option as I need to terminate VPNs on the box too.
how can I accommodate the two servers in the DMZ with public IPs whilst the ASA is in routed mode ?
View 1 Replies
View Related
Dec 5, 2011
how do i assign IP addresses to 10 computers in a network?
View 3 Replies
View Related
