Cisco Firewall :: ASA 5520 8.4(1) Public WAN To Public DMZ?

Jul 10, 2011

i have an ASA 5520 8.4(1) setup as follows
      public wan
       ASA-- public dmz
      private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?

View 6 Replies


Cisco Firewall :: Multiple Public IPs On ASA 5520?

Apr 28, 2013

I have ASA 5520 with Ver 8.2.Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP: are two servers inside the network with the private IP's: for DB Server, and for Web Server.I did Static NAT to  and to I access DB Server( it's working OK but when I access Web Server( there is no response at all.I checked the inside traffic, it even did not get into the firewall.Is this the problem with ISP's router?  How can we route all of our public IP's to the outside interface(

interface GigabitEthernet0/1nameif insideip address 100no shutdown
interface GigabitEthernet0/0nameif outsideip address


View 9 Replies View Related

Cisco Firewall :: ASA 5520 / Outside With Multiple IP Public?

Oct 16, 2012

I have ASA 5520 with Version 8.2(5), the ISP give me a block of IP pubic (, one IP valid ( have the Global NAT (all users LAN) and server FTP, but i need that IP is used for VCSe, and the IP is used for other server FTP.

View 5 Replies View Related

Cisco Firewall :: 5520 - Two Private To One Public Email NAT Going

Nov 8, 2011

How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.

View 1 Replies View Related

Cisco Firewall :: Changing ISP / Updating The Public IPs On ASA 5520

Jun 11, 2013

We have 2 x ASA 5520s in active/standby and we have a block of 30 public IP's that NAT to many servers etc and we use it for our Corp VPN.  We are changing ISPs soon and we will be getting a new block of public IPs   where do I even start to plan the migration and how?  Can I overlap somehow and do a slow migration or must I do it in one big swoop?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 / 8.6 Allow Publishing To Only One Range Of Public IP

Apr 19, 2013

Any confirmation that the versions 8.6 and up don't allow publishing to more then one public range if IP addresses?
We have ASA5520 version 8.4 in deployment and there I can NAT to 3 different ranges of public IP-s.
With same configuration on ASA5525-X version 8.6 it will NAT only the range that the outside interface belongs to. Also tried the 9.0 version with the same result.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Second IP Range On Public Interface For NATing

Jul 9, 2012

I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Host 300+ Secure Websites Using Couple Of Public IPs

Jun 22, 2011

How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's. The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.

Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data UN-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).

View 1 Replies View Related

Cisco VPN :: ASA Version 8.2(5) - Public-to-Public L2L / No Return Traffic?

Apr 2, 2013

One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.

Local Network -
Remote Network -
Remote Peer -
.ASA Version 8.2(5)
hostname ciscoasa


View 4 Replies View Related

Cisco VPN :: ASA 5520 SSL Using Different IP Than Public

Nov 6, 2012

I am trying to configure a SSL VPN on a Cisco ASA5520. Unfortunately the port 443 of the OUTSIDE interface of ASA is already in use by Microsoft Outlook Web Access and I cannot change the configuration of Outlook. This configuration already in place prevents me to use the public IP of the ASA as Cisco VPN ip address for the webpage. I don't either want to use a different port so to keep life easy for the users.I have some public IPs available that I can use so I wanted to use one of them instead of the ASA's OUTSIDE interface.

View 7 Replies View Related

Cisco VPN :: 5520 - Use Public IP As Local Encryption Network

Mar 5, 2012

We have a Cisco ASA 5520, and we're creating an IPSec VPN to another Cisco ASA.  We have multiple VPNs on this firewall. 
The issue with the latest one is they require a Public IP as the Local Encryption Network.  I've seen this question a couple times while searching but never really a definitive answer.
Would using the "Outside-Network" as the local encryption network, then natting the appropriate IPs be sufficient?  Or would this not work at all?
Our Public block is X1.X1.X1.64 - X1.X1.X1.79, our Peer IP X1.X1.X1.66.  Would using X1.X1.X1.64/28 as the local encryption network make the connection?  Then NAT the needed IPs from our DMZ X2.X2.X2.71 as X1.X1.X1.71 to the client?
Would this work or am I way off the mark (I'm by no means an ASA expert, and an ASDM explanation would work over command line).
Edit:  Or would I have to create a new Global Pool made up of Public IPs on a different subnet mask than our actual Public IP address pool.  And make that our Local Encrypted Network?  I think this might be it, but could it cause IP overlapping?  Our webserver is part of this and I'm worried about causing connection issues.

View 8 Replies View Related

Cisco Firewall :: 80 / 443 - How To NAT Public Address To DMZ

May 13, 2011

1. how do I nat a public address to a dmz address.

2. how do I open port 80/443 in the public to this address?

View 1 Replies View Related

Cisco Firewall :: 5505 PAT With Single Public IP And Several Servers Behind Firewall

Nov 21, 2012

New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP:
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services:
-One server houses drac management (port 445):
-One server is the IP phone server using a range of ports:
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.  Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]

View 11 Replies View Related

Cisco Firewall :: Setup 2nd Public IP In ASA 5510?

Mar 16, 2011

we have hosted voip and would like have our internet as back for their router.  We gave them public static ip so they can configure that in their router.  How can i configure the ip address in our firewall let say on asa5510 ethernet port 3 so if their router T1 goes out then our internet will work as backup.

View 4 Replies View Related

Cisco Firewall :: Map Public IP To Private In DMZ In ASA 5510?

Jul 22, 2012

I am now using ASA 5510 as a firewall device.I have configured 3 interfaces ethernet 0/0,ethernet 0/1,ethernet 0/2 as Wan interface, DMZ interface and Internal Lan interface. Internet is working fine from LAN as well as DMZ.The WAN interface use the Public Point 2 point IP(/30) Provided by the ISP and  another pool of Public Ip is also provided by the ISP (/28). Now I want to Map the /28 IP to some servers in DMZ . DMZ servers currently have private IP . Now the problem is how to Map the Public IP to those Private IP in DMZ servers.

View 9 Replies View Related

Cisco Firewall :: Two Public IP Blocks On ASA 5505?

Jan 16, 2013

We have 2 IP blocks from my ISP.  We have been using just one a /30 block with one IP address used on the outside interface of the device.  The new block is a /29 range and I would need to use just two of those IP addresses.  Here is the situation I am facing.A company we partnered with wants to set up a VPN, they will send us 2 Cisco 861s to put behind our ASA.  Is it possible to assign these 861's with public IPs from the block that we are not currently using? (the /29 range)?  I know that it might require an upgrade to the Security Plus.

View 7 Replies View Related

Cisco Firewall :: Add Public IP / 29 With Port 51241 In ASA?

Oct 7, 2012

I am having normal network need to add public ip / 29 with port 51241 in ASA firewall

View 8 Replies View Related

Cisco Firewall :: ASA 5505 Grabbing More Public IPs From ISP

May 2, 2013

The client I am doing work for as ASA 5505 at a remote location that is using Cox Communications for the ISP.  The ISP assigned 5 static IP addresses, but we only need 1 for this location.  However, that is the minimum you get no matter what.  The issue is that the subnet mask is a /25 and what they are telling me is that the ASA is grabbing all the IP addresses in that range.  They asked if there is anyway to keep the ASA from grabbing those IP addresses.  Now, I have never run into this issue before with a provider.  The gateway is in the /25 subnet, so going to a /30 isn't an option.

View 5 Replies View Related

Cisco Firewall :: ASA 5510 Two Public IP Subnets?

Aug 31, 2011

i just got an extra public subnet from our ISP (co hosting center) But I can't figure out how to use them on my ASA.

IP-adresses: -
Default gateway:

IP-adresses: -
Default gateway:

route wan 1
And statics like:

static (interface,wan) tcp 3389 3389 netmask

View 22 Replies View Related

Cisco Firewall :: ASA 8.4 NAT Static And Dynamic With Same Public IP

Nov 8, 2011

in ASA 8.4, I need to use to static nat an internal IP with a public IP and use the same public IP to dynamic nat another internal IP:
-nat (inside,outside) source static IP1_PRIVATE IP_PUBLIC
-nat (inside,outside) source dynamic IP2_PRIVATE IP_PUBLIC
All outgoing connection from IP1_PRIVATE and IP2_PRIVATE should be natted to IP_PUBLIC and all incoming connection to IP_PUBLIC should be forwarded to IP1_PRIVATE: is it correct ?

View 3 Replies View Related

Cisco Firewall :: 5510 NAT Public Ip To Private

Sep 5, 2012

We have the setup as shown above, our requirement is to access mail server via ports smtp and pop3.But as the mailserver is hosted at internet users at site were not able to aceess. we need to nat a intranet ip with mail server ip and mail server ip back to intranet ip and provide the access.We use ASA 5510 firewall.

View 7 Replies View Related

Cisco Firewall :: No Traffic To Public Servers PIX 515

Jun 8, 2011

Upgrading from a PIX 515 ,V6.2, I can get internet traffic out through the ASA , but no traffic in to the servers. The NATS are the same on the old firewall. The routers outside the firewalls are doing further natting from the .253 netwrok to a publilc address. No changes have taken place on the routers. [code]

View 3 Replies View Related

Cisco Firewall :: ASA5520 And Public IP Zone

Apr 5, 2011

I'm trying to setup a zone behind my firewall with complete publicly routeable IP addresses for 3 servers. The reason I'm doing this is I am in the network setup stage of an OCS implementation, and OCS connections don't behave well with NAT.
My device is a ASA5520. I have an internal zone, and a dmz zone. These are done via standard NAT configurations.
My question is this:
Is it possible to setup connectivity to the outside with internal servers that have Public IP's directly on their NIC's? Another little detail of interest is that this ip space is seperate than the one that's on current Outside interface facing our ISP. However we own both address space.

View 3 Replies View Related

Cisco Firewall :: ASA5505 Multiple Public IP NAT

Mar 9, 2013

I have three public IP:s from /24 network like 83.x.x.10, 83.x.x.25 and 83.x.x.41 all using netmask

I'm using 83.x.x.10 on ASA outside interface and trying to do static nat for inside servers with those other IP:s, but not yet solved it.
Using Cisco ASA 5505 software v9.02
object network obj_guest
nat (guest,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
object network w2008


This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...
It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.

View 4 Replies View Related

Cisco Firewall :: ASA5515 V8.6(1)2 NAT Dmz Public Server?

May 15, 2013

Could I get a validation that this config is correct in that it allows inbound access to the web server and that I should be able to ping it from my inside interface.
I tried to use the example code from Cisco DocID: 115904 for DMZ WebServer, but I found the object NAT parts did not work with my 8.6 IOS so I modified them as shown in my config.Example from 115904 doc.

object network WebServerPublic
object network WebServerPrivate
nat(dmz,outside) static WebServerPublic service tcp www www ---> this does not code
With the below code I do not get a ping reply sourcing from a 10.1.0.X host to web server.And I cannot browse in from the outside to it either.I do see the MAC for in the ASA's arp cache for the dmz interface.The web server is on a VMware ESX environment and I'm not sure it is set up correctly.

ASA Version 8.6(1)2
hostname A5515
interface GigabitEthernet0/0


View 4 Replies View Related

Cisco Firewall :: Any ASA 8.4(3) And VPN Client For Public Internet VPN

Apr 1, 2012

Any ASA 8.4(3) and VPN Client for Public Internet VPN Configuration Example? I followed this discussion, I can connect to vpn but failed to access internet and local network device?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Need To Allow Public IP (OWA) Access To DMZ

Mar 3, 2013

I have DMZ n/w on which i have nated on public ip
-private ip : (OWA)
-public ip : 61.x.x.x.
when i try to access owa(public ip ) from dmz it is not allowing , From what rules i need to set to get work ASA 5510 8.2

View 13 Replies View Related

Cisco Firewall :: ASA 5510 - NAT With 2 ISPs / 2 Different Public IP?

Oct 17, 2011

We have an issue with some NAT on an ASA 5510. Here is a simplified drawing of the ASA setup:So the issue is when we try to send traffic from to we got this message in the log:
Oct 18 2011 12:32:12: %ASA-3-305006: portmap translation creation failed for udp src inside /37166 dst outside:
It looks like there is an issue with NAT but maybe is cause of the DUAL ISP setup as packets are routed through the outside interface and not IPtelefoni_outisde?

View 13 Replies View Related

Cisco Firewall :: Pix 535 / Traverse From Inside To Outside Public IP

May 18, 2011

I'm trying to traverse from my inside private IP address (10.x.x.x) to my public IP address translation (172.16.x.x) in order to take advantage of the ACLs that are already applied on my outside interface.  For example:
Host, translated to PAT pool
Server, translated to
Inside-out access-list permits ip any any
Outside-in access-list permits tcp any eq 80
From my inside host, I can get go  I can get out to the internet.  External hosts can successfully get to (address scheme is theoretical).  I can do everything except for connect to (the translated public IP address) from my inside host address.  I did not setup this firewall originally, but I can't see a blatant command that makes this not work.  I don't see an ACL rule matched, so I'm assuming this is an issue with NAT or some sort of security policy. I'm running a Pix 535 /w 8.0.4.  The response I got from Cisco was "create static (inside,inside) translations for every host", but that's over 300 hosts.  I have a friend running the same software set and his works as expected without these static (inside, inside) NATs. 

View 2 Replies View Related

Cisco Firewall :: ASA 5505 - Multiple Public IP

Sep 10, 2011

Attached is my updated ASA 5505 (8.4[2]) config. With this config, basically the "laptop" group works fine, but the leo and orion groups don't ever receive packets inbound.  No DNS, nothing.
The laptop is windows, the other two are servers with two NICs.  The interface cards are Intel Pro/1000s.   I've been through everything including Vlan protocol conflicts and actually enabled the servers for 802.1(Q).

View 19 Replies View Related

Cisco Firewall :: Public IP Addresses On DMZ (SA520)

Feb 29, 2012

I just bought an SA520 to replace my existing FW.
The thing is that I have private IP adresses on my LAN, and I have been issued a public IP network for my DMZ by my ISP.
Meaning I want to NAT my LAN but not my DMZ, but I can't seem to find a way in the 520 to do that. I can only find the oprion to turn off NAT all together.

View 1 Replies View Related

Cisco Firewall :: ASA Version 9.1 / Nat Two Public IPs To Same Internal IP?

May 1, 2013

I have a requirement to nat two public ip addresses to same interanl ip address.  Is this possible on ASA version 9.1?

View 3 Replies View Related

Cisco Firewall :: Public IP In DMZ On ASA 5510 Bridging?

May 7, 2012

I have a new 5510 which I have upgraded to 8.4(3). I have a /29 subnet from the telco on my outside interface. I have 6 subinterfaces on a dot1Q trunk on my inside interface. The customer requirement is to have two servers in a DMZ which have public IP's from the /29 subnet. The customer will not give the servers a new IP address so we are stuck with the two public IPs in the DMZ. I thought I would need a bridge group and bridge the outside, two DMZ interfaces but I read that bridging requires the firewall to be in transparent mode and then it won't support VPNs - this is not an option as I need to terminate VPNs on the box too.
how can I accommodate the two servers in the DMZ with public IPs whilst the ASA is in routed mode ?

View 1 Replies View Related

Copyrights 2005-15, All rights reserved