API tools faq
paste
james1052

Bind IP aliases to ASA 5510 WAN interface

james1052
Jul 11th, 2012
387
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.86 KB | None | 0 0
raw download clone embed print report
  1. From http://tinyurl.com/cqt7fx8
  2.  
  3. ( http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_26166375.html )
  4.  
  5.  
  6. Question
  7. Cisco ASA 5510 - multiple IPs on outside interface
  8. Asked by: francoisxi
  9.  
  10. Hi folks,
  11.  
  12. Currently have a single static on an ASA 5510, but am upgrading to a block of 5. How does one go about assigning a range of said static IP to the firewall? Is it as replacing the single with the range on the outside interface in the configuration? just want to make sure before I do anything.
  13.  
  14. Thanks in advance
  15.  
  16. Francis
  17.  
  18.  
  19. by: rharland2009Posted on 2010-05-06 at 12:26:23ID: 32656577
  20.  
  21. You don't have to assign all five addresses to the interface. Those other addresses are for you to use for public-to-private mappings, DMZ boxes, or other devices you want on the public side of your ASA.
  22.  
  23. by: mushkovPosted on 2010-05-06 at 12:33:05ID: 32656618
  24.  
  25. rharland is correct. You can use the other static addresses to NAT to various hosts in your network by issuing the following command:
  26.  
  27. static (<inside interface name>,<outside interface name>) <public IP address> <private IP address> netmask 255.255.255.255
  28.  
  29. So if you had a public IP of 99.99.99.99 and a private IP of a hosts of 10.10.10.10, and your interface names are OUTSIDE and INSIDE, you would issue:
  30.  
  31. static (INSIDE,OUTSIDE) 99.99.99.99 10.10.10.10 netmask 255.255.255.255
  32.  
  33. Note that this would only affect incoming requests to 99.99.99.99. Outgoing NAT would depend on your global statement.
  34.  
  35. For more information see: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml
  36.  
  37. by: 172pilotStevePosted on 2010-05-07 at 05:38:48ID: 32661439
  38.  
  39. In my experience, just specifying the NAT commands wont work on the ASA..
  40.  
  41. For me, before it would work, I had to add static arp entries for the other outside IPs, so that it would know to respond:
  42.  
  43. arp outside IP2 001b.d594.f622 alias
  44. arp outside IP3 001b.d594.f622 alias
  45. arp outside IP4 001b.d594.f622 alias
  46. arp outside IP5 001b.d594.f622 alias
  47.  
  48.  
  49. All using the same MAC as the physical outside port, as determined by "show interface outside" as follows:
  50.  
  51. StevesASA# sh int outside
  52. Interface Vlan2 "outside", is up, line protocol is up
  53. Hardware is EtherSVI
  54. MAC address 001b.d594.f622, MTU 1500
  55.  
  56. Good luck!
  57.  
  58. -Steve
  59.  
  60. by: 172pilotStevePosted on 2010-05-07 at 05:40:23ID: 32661460
  61.  
  62. By the way - IP2 through IP5 are just names in my config, and could just as easily have been the actual IP addresses, but I did this:
  63.  
  64. name xxx.xxx.162.73 IP1 description External addr 1
  65. name xxx.xxx.162.74 IP2
  66. name xxx.xxx.162.75 IP3
  67. name xxx.xxx.162.76 IP4
  68. name xxx.xxx.162.77 IP5
  69.  
  70. by: francoisxiPosted on 2010-05-08 at 11:42:53ID: 32669816
  71.  
  72. Added the static nat route as defined, and then was able to assign firewall access rules and everything works!
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!