How do I set up multiple static IP addresses on a Cisco ASA 5505?

**ps3cheats** · 25-Mar-2007, 10:47 PM

How do I set up multiple static IP addresses on a Cisco ASA 5505? I've done an sh run below. I want all internal traffic to go out on X.X.1.199 and all outside traffic that needs to be forwarded inside (like SMTP) to only be able to come in on X.X.1.200. To make things even more complicated, I also want to accept VPN connections only on X.X.1.198.

I've done a sh run below to show my current configuration. I am trying to forward a number of ports, including smtp. I am used to the PIX 506, so I tried to enter commands in with that background. I feel that I'm very close, but there's something somewhere catching me. What do I need to do to get smtp to forward?

asai(config)# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname XXXXX
domain-name XXXXXXXXXX
enable password XXXXXXXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.1.200 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXXXXXXXXXXXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name XXXXXXXXXXXXXXXXX
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp X.X.1.200 smtp 10.1.1.200 smtp netmask 255.255.2
55.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.76.1 1
timeout xlate 16:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
asai(config)#

**ps3cheats** · 25-Mar-2007, 10:47 PM

>I also want to accept VPN connections only on X.X.1.198.
If you mean VPN connections directly to the ASA, this is not possible. You can only use the actual outside IP address for VPN clients. Change the IP of the outside interface:

interface Vlan2
ip address X.X.1.198 255.255.255.0

Else, the static that you have for smtp is all you need, along with the access-list.

> want all internal traffic to go out on X.X.1.199
Then you have to change your global:
no global (outside) 1 interface
global (outside) 1 X.X.1.199
nat (inside) 1 0 0 0

Note that now outbound email will also be using .199 which will not resolve to your mail server and some email will be rejected. Best to use a full 1-1 for email server. This is only possible because you changed the Outside IP above first.

no access-list outside_access_in extended permit tcp any interface outside eq smtp
no access-group outside_access_in
access-list outside_access_in extended permit tcp any X.X.1.200 eq smtp
access-list outside_access_in extended permit tcp any X.X.1.200 eq http
access-list outside_access_in extended permit tcp any X.X.1.200 eq https
access-group outside_access_in
no static (inside,outside) tcp X.X.1.200 smtp 10.1.1.200 smtp netmask 255.255.255.255
clear xlate
static (inside,outside) X.X.1.200 10.1.1.200 netmask 255.255.255.255

Now all of your goals are met.

25-Mar-2007, 10:47 PM	#1 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	How do I set up multiple static IP addresses on a Cisco ASA 5505? How do I set up multiple static IP addresses on a Cisco ASA 5505? I've done an sh run below. I want all internal traffic to go out on X.X.1.199 and all outside traffic that needs to be forwarded inside (like SMTP) to only be able to come in on X.X.1.200. To make things even more complicated, I also want to accept VPN connections only on X.X.1.198. I've done a sh run below to show my current configuration. I am trying to forward a number of ports, including smtp. I am used to the PIX 506, so I tried to enter commands in with that background. I feel that I'm very close, but there's something somewhere catching me. What do I need to do to get smtp to forward? asai(config)# sh run : Saved : ASA Version 7.2(2) ! hostname XXXXX domain-name XXXXXXXXXX enable password XXXXXXXXXXXXXXX encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 10.1.1.1 255.0.0.0 ! interface Vlan2 nameif outside security-level 0 ip address X.X.1.200 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd XXXXXXXXXXXXXXXXXXXX encrypted ftp mode passive dns server-group DefaultDNS domain-name XXXXXXXXXXXXXXXXX access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit tcp any interface outside eq smtp pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp deny any outside asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp X.X.1.200 smtp 10.1.1.200 smtp netmask 255.255.2 55.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 X.X.76.1 1 timeout xlate 16:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 0.0.0.0 0.0.0.0 inside telnet timeout 15 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX : end asai(config)#

25-Mar-2007, 10:47 PM	#2 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	Re: How do I set up multiple static IP addresses on a Cisco ASA 5505? >I also want to accept VPN connections only on X.X.1.198. If you mean VPN connections directly to the ASA, this is not possible. You can only use the actual outside IP address for VPN clients. Change the IP of the outside interface: interface Vlan2 ip address X.X.1.198 255.255.255.0 Else, the static that you have for smtp is all you need, along with the access-list. > want all internal traffic to go out on X.X.1.199 Then you have to change your global: no global (outside) 1 interface global (outside) 1 X.X.1.199 nat (inside) 1 0 0 0 Note that now outbound email will also be using .199 which will not resolve to your mail server and some email will be rejected. Best to use a full 1-1 for email server. This is only possible because you changed the Outside IP above first. no access-list outside_access_in extended permit tcp any interface outside eq smtp no access-group outside_access_in access-list outside_access_in extended permit tcp any X.X.1.200 eq smtp access-list outside_access_in extended permit tcp any X.X.1.200 eq http access-list outside_access_in extended permit tcp any X.X.1.200 eq https access-group outside_access_in no static (inside,outside) tcp X.X.1.200 smtp 10.1.1.200 smtp netmask 255.255.255.255 clear xlate static (inside,outside) X.X.1.200 10.1.1.200 netmask 255.255.255.255 Now all of your goals are met.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)