Firewall – Cisco ASA Multiple Public IP

ciscofirewallnetworking

I have a Cisco ASA5510 and articles related to ASA and mulitple Public IP says this cant be done. My question is how to best solve a scenario like this:

I have 3 zones, Outside, Inside and DMZ

  • Outside is Internet
  • Inside is Client machines
  • DMZ is a zone for servers related to external and internal services.

My scenario is a bit more complex, but to keep things simple this will do:

I want to place an Exchange server and a web server (externally reachable in the DMZ zone)

The webserver uses both TCP80/443, the Exchange server uses 443

So to the problem:
With the ASA only having one public IP, how would you make a DNAT to port 443 on both the internal hosts behind 1 Public IP? Usually, when i do this kind of scenario With Linux boxes i use alias Interfaces like eth0:0, eth0:1 and set 1 Public IP on each.

To me this must be a pretty common scenario, any ideas on how to solve it With ASA?

/KGDI

Best Answer

First of all, if you truely only have one single public IP this isn't going to work trying to port forward the same port for two internal hosts.

If though you have a range of IPs, perhaps your ISP has given you a small /29 subnet, then you are in luck. If they are routing a /29 to your ASA then obviously as usual, you can only configure one IP on the outside interface but if it is receiving traffic for those additional IPs it can work with them.

(The below is an example from an ASA that gets assigned an IP over PPPoE and the ISP routes a /29 to that interface, but if for example your uplink is an Ethernet segment, ASAs can use proxy ARP).

As you haven't given the version of ASA OS you are running I can't more specific, so here is an example I have use, which is on 8.2. This is allowing RDP (port 3389) on a second public IP in the same subnet routed to the ASA, two a second internal hosts (I have included the default NAT rules etc so you can see the bigger picture).

! Assume we get assigned the public IP 1.2.3.4, and also in this subnet 
! routed to the ASA is 1.2.3.5
! RDP to 1.2.3.5 goes to 2nd internal host 192.168.0.20.
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group PNDSL
 ip address pppoe setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
access-list inside_access_in extended permit ip any any 
access-list outside_access_out extended permit ip any any 
access-list rdp_inbound extended permit tcp any interface outside eq 3389 
access-list rdp_inbound_54 extended permit tcp any host 1.2.3.5 eq 3389 log 
!
global (outside) 1 interface
global (outside) 2 1.2.3.5
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.2.3.5 192.168.0.20 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group rdp_inbound_54 in interface outside
access-group outside_access_out out interface outside

I hope this is the correct config for you, been focusing on 8.4 as the changes they have introduced are too much for my simple brain and pre-8.4 stuff is falling out of my nose!

Related Topic