Pardon the newbie question. I have an ASA 5505 and an ISP that has given me 5 sequential IP addresses. These aren't an entire subnet, just 5 sequential addresses in a larger subnet that I share with other subscribers. I know how to configure a single IP address on the external interface, and also how to confire an entire subnetted range, but cannot figure out how to just configure what amounts to a subset of a subnet. I've asked local folks who are Cisco semi-literate and get answers ranging from "it should be possible but I don't know how" to "the ISP would first have to....(various answers)". Would someone knowledgable please let me know if this is possible and, if so, how to do this?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Need multiple non-subnetted IPs on ASA external interface 2
- Thread starter swarner1
- Start date
![[americanflag]](/data/assets/smilies/americanflag.gif "[americanflag] [americanflag]")
Go Army!- Thread starter
- #3
-
1
- #4
5 Ip addressed will fall into a /29 or /28, but you should be configuring the interface for the mask that the IPS gave you, not sure what your really trying to accomplish.
I would think that if I got 5 IPs from my ISP, i would just configure 1 ip connecting to the ISP and use the other 4 for servers in my DMZ as a static NAT or PAT translation.
I would think that if I got 5 IPs from my ISP, i would just configure 1 ip connecting to the ISP and use the other 4 for servers in my DMZ as a static NAT or PAT translation.
- Thread starter
- #5
Thank you for your response.
They gave me a /24 mask. I tried a /28 but that didn't work.
I'm trying to have 5 externally-facing IP addresses that will permit me to use each one independent of the other -- for example, if I want to have RDP access to multiple systems.
Not sure I understand how the last part you are suggesting would work. It sounds like you are suggesting I put the remaining 4 on a DMZ VLAN, and that "somehow" this can be configured so that they are reachable from the external interface?
They gave me a /24 mask. I tried a /28 but that didn't work.
I'm trying to have 5 externally-facing IP addresses that will permit me to use each one independent of the other -- for example, if I want to have RDP access to multiple systems.
Not sure I understand how the last part you are suggesting would work. It sounds like you are suggesting I put the remaining 4 on a DMZ VLAN, and that "somehow" this can be configured so that they are reachable from the external interface?
-
1
- #7
You are suggesting to use VLSM, but the easier thing is to just use the host mask of 255.255.255.255
The only way to accomplish what you want in one range is if you had 6 addresses, and all within the same /29 boundary. For example...
Let's say the ISP gives you 10.10.10.9 through 10.10.10.13, with a /24 mask. You would be able to do this
ip add 10.10.10.9 255.255.255.248
ip add 10.10.10.10 255.255.255.248
through 10.10.10.13, and sall five would be in the same subnet, and therefore NOT independent of eachother (just separate from the rest of the 10.10.10.0/24 range). Is this what you want?
I would also do what jeter would do---have one on the outside interface, and the other four in the DMZ. I like to NAT, so I would just ask for one address from the ISP and NAT (PAT, actually) everything. I have 6 IP addresses with my T1 at work, but I only use two, one for the L3/T1 switch and one for the router, and everything is NATted (two FTP servers using different ports, and only two users, but a /24 range)...
/etc/vfstab/Burt
The only way to accomplish what you want in one range is if you had 6 addresses, and all within the same /29 boundary. For example...
Let's say the ISP gives you 10.10.10.9 through 10.10.10.13, with a /24 mask. You would be able to do this
ip add 10.10.10.9 255.255.255.248
ip add 10.10.10.10 255.255.255.248
through 10.10.10.13, and sall five would be in the same subnet, and therefore NOT independent of eachother (just separate from the rest of the 10.10.10.0/24 range). Is this what you want?
I would also do what jeter would do---have one on the outside interface, and the other four in the DMZ. I like to NAT, so I would just ask for one address from the ISP and NAT (PAT, actually) everything. I have 6 IP addresses with my T1 at work, but I only use two, one for the L3/T1 switch and one for the router, and everything is NATted (two FTP servers using different ports, and only two users, but a /24 range)...
/etc/vfstab/Burt
tjbradford
Technical User
in old cisco money on a router ip secondery 10.10.10.2 255.255.255.255 would give a single physical interface multiple ip addresses i cant remember off the top of my head if the 5505 supports this , i beleive that the setup for the 5505 is by assigning vlan ports to the physical interfaces and giving the vlans the ips you want, so you would need to place the ip's on your untrusted vlan.
- Thread starter
- #9
All,
Thank you for the recommendations. I will try these out over the next few days.
Yes, you are correct in that I am having difficulties understanding how some aspects of the ASA work. I'm a relative newbie to Cisco, and there are some points that are a bit obscure to me right now, and what little web documentation I found is too piece-meal to be of much use. If anyone can recommend something out there that paints the big picture and explains how the ASA works that would be great.
Thanks again.
Thank you for the recommendations. I will try these out over the next few days.
Yes, you are correct in that I am having difficulties understanding how some aspects of the ASA work. I'm a relative newbie to Cisco, and there are some points that are a bit obscure to me right now, and what little web documentation I found is too piece-meal to be of much use. If anyone can recommend something out there that paints the big picture and explains how the ASA works that would be great.
Thanks again.
I would suggest looking at the "Cisco Firewall Video Mentor" on the safaribooks online website. You may need to sign up for a 10day free trail, but it is worth the effort and is exactly what you need.
when you open up conduits to connect to devices from the outside, it is best practice to use a DMZ. This is a little more complex to manage but provides an extra layer of security.
but here is a basic example without a DMZ:
address assigned to you:
192.168.1.100/24 - used for ISP connection
192.168.1.101/24 - used for Terminal Server
192.168.1.102/24 - used for Wed Server
192.168.1.103/24 - used for FTP Server
192.168.1.104/24
your inside lan is 10.0.0.0/8
your internal sevrers that will be accessed from outside:
10.0.0.101 - TS
10.0.0.102 - Web
10.0.0.103 - FTP
ASA config
----------
int vlan 100
nameif ouside
security-level 0
ip address 192.168.1.100 255.255.255.0
no shut
!
int vlan 10
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
no shut
!
int e0/0
switchport access vlan 100
desc Internet
no shut
!
int e0/1
switchport access vlan 10
desc LAN
no shut
!
route outside 0 0 192.168.1.x (ISP GW)
!
nat-control
!
global (outside) 1 192.168.1.100
nat (inside) 1 10.0.0.0 255.0.0.0
static (inside,outside) 192.168.1.101 10.0.0.101 netmask 255.255.255.255
static (inside,outside) 192.168.1.102 10.0.0.102 netmask 255.255.255.255
static (inside,outside) 192.168.1.103 10.0.0.103 netmask 255.255.255.255
when you open up conduits to connect to devices from the outside, it is best practice to use a DMZ. This is a little more complex to manage but provides an extra layer of security.
but here is a basic example without a DMZ:
address assigned to you:
192.168.1.100/24 - used for ISP connection
192.168.1.101/24 - used for Terminal Server
192.168.1.102/24 - used for Wed Server
192.168.1.103/24 - used for FTP Server
192.168.1.104/24
your inside lan is 10.0.0.0/8
your internal sevrers that will be accessed from outside:
10.0.0.101 - TS
10.0.0.102 - Web
10.0.0.103 - FTP
ASA config
----------
int vlan 100
nameif ouside
security-level 0
ip address 192.168.1.100 255.255.255.0
no shut
!
int vlan 10
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
no shut
!
int e0/0
switchport access vlan 100
desc Internet
no shut
!
int e0/1
switchport access vlan 10
desc LAN
no shut
!
route outside 0 0 192.168.1.x (ISP GW)
!
nat-control
!
global (outside) 1 192.168.1.100
nat (inside) 1 10.0.0.0 255.0.0.0
static (inside,outside) 192.168.1.101 10.0.0.101 netmask 255.255.255.255
static (inside,outside) 192.168.1.102 10.0.0.102 netmask 255.255.255.255
static (inside,outside) 192.168.1.103 10.0.0.103 netmask 255.255.255.255
- Thread starter
- #12
one more thing.
I added an acl that opens everything to your inside servers, but it is best practice to just open the specific services you need.
for example, your web server acl would be:
access-list acl_outside permit tcp any host 192.168.1.102 eq www
instead of:
access-list acl_outside permit ip any host 192.168.1.102
I added an acl that opens everything to your inside servers, but it is best practice to just open the specific services you need.
for example, your web server acl would be:
access-list acl_outside permit tcp any host 192.168.1.102 eq www
instead of:
access-list acl_outside permit ip any host 192.168.1.102
- Thread starter
- #14
- Status
Similar threads
- Locked
- Question
