Cisco Firewall :: ASA 5520 - Second IP Range On Public Interface For NATing

Jul 9, 2012

I have a Cisco ASA 5520 (Ver 8.2(4)) with all four interfaces in use (Public, Private, DMZ, Local offices) and an IPS module, so there are no spare interfaces. I have used all of Public IP's on the current interface for various services (these need one to one mapping, so I can't port map mainly due to SSL certificate issues) and I need to add another Public IP range. The secondary option on ASA interfaces does not exist as on routers/switches and I need to use an additional non contiguous IP address range for additional services advertised on the Public interface that are NAT'd to be servers in my DMZ.
I have seen an example of adding a static arp on the Private interface to allow a secondary gateway to be used for outbound traffic, but I need to allow 14 new IP addresses to be NAT'd from the Public to DMZ and possibly also for outbound NAT'ing (from either Private or DMZ to the Public). I have a L2 switch between the ISP router and the firewall, so using VLAN's is not an option unless the ISP can be persuaded (highly unlikey) to add the seondary IP's as a sub interface with tagging. Anyway if this was actioned then we would have a massive outage on our current IP range during the transistion.

View 3 Replies


Cisco Firewall :: ASA 5520 / 8.6 Allow Publishing To Only One Range Of Public IP

Apr 19, 2013

Any confirmation that the versions 8.6 and up don't allow publishing to more then one public range if IP addresses?
We have ASA5520 version 8.4 in deployment and there I can NAT to 3 different ranges of public IP-s.
With same configuration on ASA5525-X version 8.6 it will NAT only the range that the outside interface belongs to. Also tried the 9.0 version with the same result.

View 2 Replies View Related

Cisco Firewall :: ASA5510 - Routing / NATing From Internal Network To Outside Interface IP

Jun 3, 2012

I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing

View 1 Replies View Related

Cisco Firewall :: ASA 5520 8.4(1) Public WAN To Public DMZ?

Jul 10, 2011

i have an ASA 5520 8.4(1) setup as follows
      public wan
       ASA-- public dmz
      private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?

View 6 Replies View Related

Cisco Wireless :: ASA 5510 NATing 2 Internal IPs To 1 Public IP

Apr 27, 2013

I have a doubt on how do nat 2 internal ip addresses to 1 public ip for FTP uses.
As I know Cisco ASA cannot use to nat 2 internal ips to 1 public ip as the ASA cannot read the host header. It there anyway to control it by using acl or network object group?
My current configuration for nat 1 internal ip to 1 public ip:
static (firewall-dmz,firewall-outside) tcp 210.19.xx.xx 21 21 netmask  dns

View 1 Replies View Related

Cisco Firewall :: Multiple Public IPs On ASA 5520?

Apr 28, 2013

I have ASA 5520 with Ver 8.2.Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP: are two servers inside the network with the private IP's: for DB Server, and for Web Server.I did Static NAT to  and to I access DB Server( it's working OK but when I access Web Server( there is no response at all.I checked the inside traffic, it even did not get into the firewall.Is this the problem with ISP's router?  How can we route all of our public IP's to the outside interface(

interface GigabitEthernet0/1nameif insideip address 100no shutdown
interface GigabitEthernet0/0nameif outsideip address


View 9 Replies View Related

Cisco Firewall :: ASA 5520 / Outside With Multiple IP Public?

Oct 16, 2012

I have ASA 5520 with Version 8.2(5), the ISP give me a block of IP pubic (, one IP valid ( have the Global NAT (all users LAN) and server FTP, but i need that IP is used for VCSe, and the IP is used for other server FTP.

View 5 Replies View Related

Cisco Firewall :: 5520 - Two Private To One Public Email NAT Going

Nov 8, 2011

How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.

View 1 Replies View Related

Cisco Firewall :: Changing ISP / Updating The Public IPs On ASA 5520

Jun 11, 2013

We have 2 x ASA 5520s in active/standby and we have a block of 30 public IP's that NAT to many servers etc and we use it for our Corp VPN.  We are changing ISPs soon and we will be getting a new block of public IPs   where do I even start to plan the migration and how?  Can I overlap somehow and do a slow migration or must I do it in one big swoop?

View 1 Replies View Related

Cisco Firewall :: 5520 Non-natted IP Range

Nov 8, 2011

I am having to NAT an IP range on our ASA 5520 as a remote VPN has the same IP range.  The NAT is done, but for the source access list on our ASA do I need to use our natted IP range or the non-natted IP range?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Host 300+ Secure Websites Using Couple Of Public IPs

Jun 22, 2011

How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's. The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.

Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data UN-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).

View 1 Replies View Related

Cisco Firewall :: 5520 - Multiple Global IP Address Range On ASA Outside I/f

Mar 17, 2011

Got an ASA5520 running V8.2(3) and we want to upgrade our internet bandwidth. Our ISP says OK but we need to install different physical circuit, upgrade CPE router, etc.
Then they say, btw your globally allocated IPs will change - this is a problem as we have Site-to-Site VPN Tunnels, IPSEC RA, etc.
ISP are proposing to give us a 3 month period whereby old & new IP blocks will be routed to our ASA (by means of secondary IP address on their Cisco CPE).
Multiple IPs on the same physical i/f on the ASA require sub-interfaces/IP Addresses/VLAN ids on my "outside" i/f.
Is this going to horiibly break Site-to-Site VPN Tunnesl, IPSEC remote access ?
Will VLANs work at all with IPSEC on the "oustide" i/f at all ?

View 2 Replies View Related

Cisco Firewall :: 5510 - ASA 8.4 - How To Setup Additional Public IP's On Outside Interface

May 10, 2012

getting my additional IP addresses working on my ASA 5510.  I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface.   However, I now need to setup a second IP address that maps internally to a different web server.  When I setup a new network object with automatic NAT translation to the new IP address, it does not work.  If I setup the same scenario using the outside interface, it works fine.  What is the proper way to setup additional IP address on my ASA v8.4? 

View 10 Replies View Related

Cisco Firewall :: ASA5510 - Change Public IP Address On Outside Interface?

Mar 10, 2011

we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.

From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.

View 1 Replies View Related

Cisco Firewall :: ASA5510 - Additional Public IPs Added To Outside Interface

Jul 31, 2012

I have run out of public facing IP addresses and I need more. Assuming I have been issued and my new/additional range/subnet issued is 2.2.2/0/24 - Can I carry on with the same configuration on my ASA5510 and just add static NAT for new services in the range.

i.e.existing config
route (upstream ISP)
Interface outside ip address
 NAT to

or, assume my ISP will deliver to my outside interface ( and if my NAT is in place it will get delivered to inside.
or, put another way I dont need change my set-up as I just static route to my ISP!
my real public IP is a /27 can I use my broadcast address (its a legit public IP address)?

i.e = to
Outside interface =

Can I use and NAT it to an internal server?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Create Network Object For Range Of Hosts?

Oct 25, 2011

I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as
Is there a way to do a similar thing on the ASA 5520?
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.

View 1 Replies View Related

Cisco Firewall :: ASA5525-X / Accessing IPs Of Public Servers From Inside Interface?

Oct 30, 2012

Got an ASA5525-X with 8.6 release. We have an inside interface ( and a DMZ interface ( On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip ( I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.

View 7 Replies View Related

Cisco Firewall :: Disable Admin / ASDM Access Only On Public Interface Of 5510

Oct 12, 2011

how to totaly disable Admin/ASDM access on our public interface of our 5510.  I don't want to change IPSec or SSL access to the outside interface.  Just totaly disable access to Admin/ASDM from the outside without halting all other access.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?

May 5, 2013

I have an asa 5520.  How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?

View 1 Replies View Related

Cisco Firewall :: 3845 - Open Port Range On Secondary IPs On Router Interface

Feb 12, 2013

I have 4 public IPs on Router 3845 interface FastEthernet 0/0/1. IP as below. secondary secondary secondary
I wan to allow ports 80 to 90 on for my webserver (

View 5 Replies View Related

Cisco Firewall :: Add Second IP To Outside Interface Of ASA 5520?

Nov 15, 2011

We have a block of addresses assigned to us by our ISP.  We need to assign one of these addresses to a vendor we use for traffic to one of their internal devices.  Lets say the address we gave them out of that block of addresses is
How do I add that address to the outside interface so that when traffic s sent to it that the traffic actually gets to the ASA as right now when we send traffic to that address it doean't make it to the ASA.

View 1 Replies View Related

Cisco Firewall :: 5520 - Cannot Ping Through Outside Interface

Feb 3, 2013

I cannot seem to ping from the outside of my 5520 firewall to an inside network. I have a single physical outside interface connected to a Layer 2 switch, with a laptop connected to it. This is on network From there, I cannot ping to the inside interface (which is a sub interface on G0/0) with network For some reason, it doesnt work.
Now. I had access-lists in place, but have removed them for testing and it still doesnt work. I have set the security level of inside and outside to 100, and entered the same-security-traffic permit inter-interface command - still no joy. Below is the relevant configuration.
Inside Interface
interface GigabitEthernet0/0.96
description L3 Interface - Informational Zone
vlan 96


View 4 Replies View Related

Cisco Firewall :: ASA 5520 Interface Overrun?

Feb 23, 2011

Recently our network experience a Internal DoS attack. One internal server ( the network/security team doesnt have any access to the adninistration of these server) starts to send a lot of DNS bogus request to some DNS servers on the Internet. With sh conn detail we saw the IP of these server and blocked it with an ACL in the Internal ASA 5520 interface. After that, the server team disconnect the server, and made their job cleaning these infected device.  Everything goes normal again....
 Today, the same server starts again with the same problem. But a lot  worst thant the first time. The ASA starts to drops packets in the internal interface, the overruns was increasing dramatically ( like 10000 per second), the asp-drop table shows the same amount of traffic than interface overruns in the ACL-Drop line , and the CNT blocks for  16xxx with sh blocks was in zero. The sh acess-list INSIDE shows near 9 million hints in the line that deny the DNS request from the server to the Internet. Again, we disconnect the server and the problem was solved by the server team.
 It seems that our ASA cant handle in their internal interface the amount of traffic that these server send outbound. IS there anyway to raise the blocks in the firewall?  What is the best way to deny the servers connections ( ACL, or MPF or threat detection maybe), and avoid the ASA interface overruns even when the server sends these large amount of request.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - SNMP Outside Interface

Mar 16, 2013

i have a Problem with SNMP on the ASA Outside Interface. I want to monitor the Interface via SNMP (linkup, link down). I have a Active/Passive Cluster running on 8.4.2 and configured SNMP (v1) for Test on the Outside Interface. It's not that hard but when i try to test my Configuration with (peerless) SNMP Tester the Interface doesn't respond. Did i forget to configure something? Searched the forum but didn't find anything useful.

View 4 Replies View Related

Cisco Firewall :: ASA 5520 / Same Security Level Interface ACL?

Nov 10, 2011

On a Cisco ASA 5520.  I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface"  I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.  
interface GigabitEthernet0/3.175
 vlan 175    
 nameif Test175
 security-level 30
 ip address


View 13 Replies View Related

Cisco Firewall :: Move ASA 5520 Fail Over Interface

Jun 21, 2011

I am currently using g0/3 for failover between my two ASA5520's.  I would like to move that to the management interface to free up g0/3 for a second DMZ segment.  are there any implications to doing this live other than i would only have a single ASA during the move?

View 1 Replies View Related

Cisco Firewall :: 5520 - Configuring ASA Management On Sub-interface

Jul 27, 2010

I have two ASA 5520 with 4 Giga interfaces and 1 management interface.
I need to use 4 interfaces four data traffic
1- Inside
2- Outside
3- dmz-1
4- dmz-2
The remaining will be the management interface only.How can I configure the Statefull failover and Management?
1- I used the management0/0 for The stateful failover.
2- I used gig 0 for outside
3- I used gig 1 for inside
4- I used gig 2 for dmz-1
5- I divided the gig 3 to two sub interfaces
a- gig0/3.1 for dmz-2
b- gig0/3.2 for Management and I defined it as a management-only

View 6 Replies View Related

Cisco Firewall ::5520 - NAT SIP Registration From Outside To Inside Interface On ASA?

Mar 7, 2012

I'm trying to NAT SIP registration from OUTSIDE interface to Inside interface on ASA

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Check Which IPs Hitting On Particular Interface

Sep 23, 2012

I have a cisco asa 5520 and suddendley in my Network Monitor tool,(using SNMP)  asa's DMZ interface traffic is showing arround 90000 Kbit/s .
i want to check which traffic is flowing throgh this interface.(Ip address details)
Note : There is no impact on asa CPU usage.

View 4 Replies View Related

Cisco Firewall :: ASA 5520 8.4 Failover Interface Testing?

Jan 3, 2012

From ASA 5520 we tested the interface failover it not working even the interface are getting monitor . 
primary is active.
Manually we shut the outside interface of the primary device configuration is getting reflecting in secondary as outside interface shut. Interface failover not happen.
ii All the interface are getting monitor when we gave command sh failover. even though when we shut outside interface failove not happening.
how to do the interface failover in ASA 8.4 version.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Flags SYN ACK On Interface Dmz1

Jul 12, 2012

I know this issue probably has been beat to death, but I have yet to find the answer to my situation. We recently upgraded from a PIX515e to ASA5520. Shortly after the install I noticed a problem with the servers on our DMZ. This problem was NOT present with our old 515e. The problem is that there seems to be a communication problem between servers on the DMZ, specifically when I try to open the web server homepage from my mail server, I get time-outs. When I ping between the two in either direction, I get time-outs. This might seem trivial, but I have other data servers on the DMZ that need to communicate between themselves.

When we question the tech that performed the install, his answer was that there might be a problem with the switch the servers are connected to, or the servers might have a virus. He stated the process of ping should never involve the DMZ interface. And yes, our DMZ interface IP is the gateway for the servers. Now, if the DMZ (ASA) should never come into play with a ping, why when I turned on logging did I receive the error below? It sounds to me that the ping is going through the interface. Here are a few of the errors on the DMZ with the specific server IPs.
july 13 2012 12:50:04 106014 Deny inbound icmp src dmz1 dst dmz1 type 8, code 0
The ping problem was only used as an example the demonstrate that there is a comm problem on the DMZ. ASA is running in router mode.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Static Route To Inside Interface

Mar 29, 2011

I have inherited an ASA 5520.  In doing some auditing of the setup, I have noticed a Static Route that has the inside interface of the ASA as the Gateway IP.  I am trying to understand the purpose of this route or why a route would be setup this way.

Example Static Route:
Inside 10.xx.31.0 10.xx.xx.10 (10.xx.xx.10 is the inside interface of ASA)

View 2 Replies View Related

Cisco Firewall :: Edge Router Connection For Outside Interface Of ASA 5520

May 1, 2013

We have ASA 5520 firewall.For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's / 29. We have usable public IP's - with default gateway We assigned to the outside interface.
If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses reach the outside interface without using other device like another router or switches?I just assume that only packets with destination address interface ip) can reach the outside interface from the edge router.Is it wrong assumption?  If it is correct, then is there any way to route all packets with destination address to the outside interface?

View 3 Replies View Related

Copyrights 2005-15, All rights reserved