(ASA 5510) How do assign multiple public IP addresses to outside interface?

Similar Messages

• MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

  Hi All,
  We are configuring an ASA 5510 for remote VPN users using Any Connect.
  Our question is:
  We have a /29 block of public IP addresses and we want to configure 5 public IP addresses on the Outside interface so that VPN users can use different DDNS logins that terminate on one of the 5 addresses. 1 of the 6 hosts in the subnet is the gateway address to the ISP router.
  Any suggestions on how to best achieve this requirement.
  Regards,

  What are the different groups used for? Are that different companies or just different departments of one company?
  There are so many ways to achieve different VPN-Settings for the users and all of them only work with the one public IP-address your ASA has on the outside interface.
  One "typical" way to configure different VPN-settings for different users is the following:
  You configure one tunnel-group with the needed authentication-settings. The assigned group-policy only has the needed tunnel-protocol configured like sssl-client.
  For each department you configure one group-policy with all needed parameters like split tunnel, VPN-filter, banner, DNS/WINS-servers domain and so on.
  Your users get one of these group-policies assigned. That can be done with local authentication in the user-acount, or more scalable through a central RADIUS-server which can be the Windows NPS to authenticate the domain-users.

• How to assigne multiple value in key of read table

  Hi gurus,
  I want read table xxxx with key field1 = ' xxx' or field1 = 'yyy'.
  how to assign multiple value as key for the same field while reading internal table.
  Regards
  sagar

  Hi ,
  You can loop the internal table like
  loop at  <table xxxx> where field1 = ' xxx' or field1 = 'yyy'
  or you can write two read statements to read the internal table in wrk area.
  read table   <table xxxx> with key field1 = ' xxx'.
  if sy-subrc <>0
  read table   <table xxxx> with key field1 = 'yyy'.
  if sy-subrc = 0
  endif.
  else.
  do your data processing.
  endif.
  Thans.

• How to assign multiple batch class to material in classification view

  Dear Gurus,
  How to assign multiple batch class to material in classification view.
  plz explain what are the procedure and what are the configuration required before assignment.
  Thanks
  Mani

  OK, Thanks for your reply.
  Regards
  Mani

• How java support multiple inheritance by the use of interface.

  As per my understanding, Interface is just having the signatures of the methods not the implementation.
  So How java support multiple inheritance by the use of interface?
  Answer 1: we can institate interface reference by its implemented
  class.
            ����� interface inf...
            ����� class aa implements inf..
            ����� class bb implements inf....
             Now, inf i = new aa();
             inf i = new bb();
  Answer 2: We can extends as many interface as we want in the
  single
             interface.
             i.e. interface infFirst....
             interface infSecond....
             interface infThird....
             Now ,
             interface ingMulti extends infFrist, infThird...
  By above two answers its not prity clear as per the multiple inheritance in C or C++.
             i.e.
             class first{
             method abc();....}
             class second{
             method bbc()......}
             class multi::first::second{
             we can call to abc();.....as well as bbc();
  -Please give your important suggstion on the same.(Hope I explain it well.)
  -Jeff

  The keyword implement is used only for interfaces not
  for abstract class. If i am wrong correct me.I believe your right, but I will double check.
  As for the multiple inheritence think about the following code:
  class Animal {
      //  Animal generic stuff in this class
  interface Eat {
      //  Generic stuff that models eating behavior
  interface Runs {
      //  generic methods that model running behavior
  public class Horse extends Animal implements Eat, Runs {
      //  Stuff specific to a horse
  }The Animal class is generic but has stuff in it common to all animals.
  The Eat interface models behavior that is generic to eating, all living things have to eat something to survive. Herbavore are different from carnivores.
  The Runs interface models generic behavior to running, such as speed. A cheeta definately runs faster than a human.
  This brings us to the Horse class. It extends the Animal class because it "is-a" animal, and it implements the eat and runs interface because they are behaviors a horse has.
  I hope that helps.
  Extending an abstract class is the same as extending a regular class with the exception you MUST override all abstract methods in the abstract class. Thats not too difficult but I believe when designing classes, designing an abstract can be more diffecult than modeling the base class, and generic behaviors in interfaces. JMO.
  JJ

• How to route Multiple static IP addresses

  I have 5 static public IP addresses from Comcast Business. I need to host 3 low-volume web sites with distinct domain names which map to unique public IP addresses. I have all three web sites on one computer.
  Linksys has told me it can be done (but has NO useful support); and Comcast has told me it can be done. I've searched high & low on forums for a solution but can't find one.
  Equipment: 
     Linksys WRT300N router
     Webserver is Windows 2003 with 3 NIC cards
     Cable Modem is an SMC 8014
     Cable Provider: Comcast Businesss
  I already have the router set up for a Static IP and have entered my first public IP address, cable modem gateway and DNS servers. I have also port-forwarded port 80 to the web server.  One web site works fine.
  My question is: How can I route the other 4 ip addresses to the web server?
  TIA,
  bert

  If you already have set up the forwarding and it does not work for those other IP addresses, then it can't be done with your router. You'll need a router which supports one-to-one nat which allows you to map multiple public IP addresses to LAN IP addresses.

• Multiple public IP addresses

  ASA newb here.  This question has been asked before but the configurations seem to be different so they don't really answer my question.  I think mine is pretty simple but I can't find a clear "this is what you do" answer.  I've been reading the Cisco doc's trying to figure it out but they have so many different scenarios and examples that its a little overwhelming.  Plus none of the seem to match mine 100%.
  ASA 8.4
  I have 6 public ip addresses and want to use 2 of them.  I have two servers running an application that needs port 1234 accesable externally for updates.   Can't change port numbers and obviously can't route 1234 two different places. 
  Say my range is 4.4.4.4 to 4.4.4.10.  I want to use 4.4.4.4 and 4.4.4.5.  My network currently looks like so:
  4.4.4.4 <--> ASA <--> 192.168.0.0/24
  I want:
  4.4.4.4,4.4.4.5 <--> ASA <--> 192.168.0.0/24
  Any ideas?

  none taken.
  Let me make sure i've got this right.  I'll describe what i see in ASDM.
  Line 1:  Source Intf - inside, Dest Inft - Outside, Source - server2, Destination - any, Service - tcp/1234, Source - server2-outside, Destination - --Orginal--, Service --Original--
  Line 2:  Source Intf - outside, Dest Intf - inside, Source - any, Destination - server2-outside, Service - tcp/1234, Source --Original--(S), Destination - server 2, Service --Original--
  I'm not entering your server1 info because I already have that setup and working.
  ACL:  Source - any, Destination - 192.168.1.5, Service - tcp/1234, Action - permit
  Server2 = 192.168.1.5
  Server2-Outside = 4.4.4.6 (my other external address)

• Multiple public IP Addresses on ASA 5505?

  Hi
  Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2). If so, how?
  Thanks in advance for your help with my request.
  d

  Hello Douglas,
  you don't need to assign multiple IP-addresses - the trick is the MASK besides that you tell ASA where to find the default gateway.
  The rest is icing on a cake, and you achive this with the help of NAT.
  Lets say you're provided a network with a mask of 255.255.255.248, then nets, or subnets, jump on the number 8.
  1. net: X.X.X.0, with 7 being the broadcast, 1 the first usable (usually the DFGW) leaving you 5 addresses
  2. net: X.X.X.8, with 15 being the broadcast, 9 the first usable leaving you 5 addresses
  3. net: X.X.X.16, with 23 being the broadcast, 17 the first usable, leaving you 5 adresses
  and so forth
  Lets take the 3rd example here, and configure the outside interface with a mask of 255.255.255.248 and the address of X.X.X.18 (the first usable besides the DFGW), or X.X.X.22 (the last usable if 17 was taken by the DFGW) - we stick with 18.
  If you want your mail to be available through X.X.X.19 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.19 (create a object like "WAN-ADDRESS-19" and give it the address X.X.X.19, and don't forget the ACLs!).
  If you want your webservices to be available through X.X.X.20 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.20 (create a object like "WAN-ADDRESS-20" and give it the address X.X.X.20, and don't forget the ACLs!).
  That all works through 1 cable, 1 interface assigned with the right MASK
  Hope that clears the skys?
  Pls, rate right answers!

• Multiple Public IP Addresses To Be Used For DMZ - ASA 5505 - IOS 8.4(2)

  I'm trying to figure out how to forward an IP address to my DMZ servers allowing me to use the ACL to control access to the servers within my DMZ interface (LAN).  I can't figure out if the ASA handles that automatically when a NAT rule is created, or maybe when an ACL is created, or do I need to add it when configuring the interface (outside)?  Ex: IP Address: 1.1.1.1, 2.2.2.2, 3.3.3.3
  Notes:
  - I'm using the ASDM but can use CLI if needed.
  - All IP address are fictitious of course.
  - I currently have a public IP address of 1.1.1.1 that is used for all traffic coming from the ASA (including my NATed inside traffic).
  - My local LAN subnet is 10.10.10.0/24.
  - My DMZ subnet for my servers is 10.10.20.0/24.
  - I have an IP address I want to use (public) of 2.2.2.2 that would be forwarded to my DMZed server of 10.10.20.2.
  - I have an IP address I want to use (public) of 3.3.3.3 that would be forwarded to my DMZed server of 10.10.20.3.

  Hi,
  I am not sure if I understood you correctly.
  Are you just asking how to configure Static NAT for your DMZ servers and allow traffic to them?
  If so the basic NAT configuration format would be
  object network SERVER-1
  host 10.10.20.2
  nat (DMZ,outside) static 2.2.2.2 dns
  object network SERVER-2
  host 10.10.20.3
  nat (DMZ,outside) static 3.3.3.3 dns
  The above 2 "object network" create the Static NAT between the internal private and external public IP addresses.
  access-list OUTSIDE-IN remark Allow traffic to DMZ servers
  access-list OUTSIDE-IN permit tcp any object SERVER-1 eq www
  access-list OUTSIDE-IN permit tcp any object SERVER-2 eq ftp
  access-group OUTSIDE-IN in interface outside
  The above creates an ACL which allows for example HTTP traffic to SERVER-1 and FTP traffic to SERVER-2. Finally the last command attaches the ACL to the "outside" interface. If you already have an ACL attached to the "outside" interface then you naturally use that one.
  Those are just simple examples.
  Please let me know if I understood you incorrectly if I missed something
  - Jouni

• ASA 5510 - how many concurrent VOIP calls can pass through?

  Hi all,
  I wonder how many concurrent VOIP calls can handle Cisco ASA 5510, any idea?
  Gegham

  hi Gegham,
  Basically what the values of  50,000 and 130000  connections indicate  are lab values  tested with 80% TCP and 20% udp  traffic. (according to table a-2 in the doc below)
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wp1170941
  RTP  is udp traffic but in case of an asa and considering a customer  scenario what happens is...
  1 voip call =  1 control connection (h323,sip,sccp)    +   2 or 4 rtp connections
  -so a call will in total  easily consume  5  or more  connections depending on control connections you have set up .
  -also this number differs depending on if the call is  voice only or video.
  So to  simply answer your  questions...
  1>the number of connections that a call  consumes depends on the above factors.
  2>Also there is no hard number on the  number of calls an asa can handle because this depends on the controls  you use ...including nat and inspections.
  Thanks,
  Karthik

• How to assign a public ip to SQL Listener which is on a virtual machine ?

  I have 2 virtual machines which has SQL Servers installed on them. I have enables Always on Feature and added a new listener name to them. Both the VMs are in a virtual network which have private ips. The listener has also been assigned a private ip from
  the subnet.
  How can I assign a public ip to the listener, so that I can connect to the listener from outside network ?
  Thanks
  Avanti

  Hi,
  If you will only access the listener within the VNet (including site-to-site VPN in hybrid scenarios), then you should use Internal Load Balancing (ILB) with a private IP address for the listener. Because the ILB is not accessible from outside the Azure
  VNet, this offers another layer of security. Also this makes the Listener accessible only to client applications located
  In the same Virtual Network
  In another connected Virtual Network (in the same Azure region or a different Azure region)
  On-premise connected via VPN tunnel
  However if you can use public load balancing with a public IP address it can be accessible from the internet.
  To know more about Configuration for AlwaysOn Availability Groups on SQL, you might want to refer to the below mentioned article
  https://msdn.microsoft.com/en-us/library/azure/dn425027.aspx?f=255&MSPPError=-2147217396
  Hope this helps !
  Regards,
  Sowmya

• How to assign a private IP address to a public IP address

  Hello.
  At the beginning sorry for my poor English. My company uses a Cisco 881 router and I have the following problem to resolve. I need to assign an local IP address from my private network to an public IP address (this is the public IP address of the SMTP server). As a result, I want to do the following thing: I would like to use an local IP address in the SMTP server settings of the email client instead of an IP address of the service provider. Device, which I have to configure with SMTP server is connected via a VPN and I can't use a public IP address of email provider. Thank you for any respond.

  Hello.
  At the beginning sorry for my poor English. My company uses a Cisco 881 router and I have the following problem to resolve. I need to assign an local IP address from my private network to an public IP address (this is the public IP address of the SMTP server). As a result, I want to do the following thing: I would like to use an local IP address in the SMTP server settings of the email client instead of an IP address of the service provider. Device, which I have to configure with SMTP server is connected via a VPN and I can't use a public IP address of email provider. Thank you for any respond.

• How to assign multiple categories to a webapp item that is populated from a frontend form?

  We have a webpage with a form that allow users to populate a webapp, but we also need that the user can assign multiple categories to the webapp item that is going to insert.
  The support forum told us that it is not possible to assign categories from the frontend, but only from the admin area.
  Is there any workaround to this issue? We do not want the users to access to the admin area because we need them to populate the webapp only from the web form.
  Thanks for any help on this.
  Franco

  Dont know if this will help:
  http://bcgurus.com/tutorials/dynamic-categories-for-business-catalyst-introduction

• ASA 5510 Anyconnect VPN question-"Hairpin" vpn connection on same external interface

  I have a Cisco ASA 5510, I want to allow a VPN connection to be established by a client on one of the inside interfaces(10.20.x.x) to be able to go out the single External interface and get authenticated by the ASA to create a VPN tunnel to the other inside interface (10.0.X.X) and access resources on that subnet.
  Basically want clients on a WLAN to be able to VPN back in to the LAN with the ASA in the middle to get to company resources,
  Is this possible?
  Thanks,
  Tommy

  When we connect any VPN on a device then it is always a TO THE DEVICE connection and I am afraid we can connect only to the local / nearest interface where user is connected in a network with respect to ASA.
  I have seen this scenario working though earlier with one of my clients wherein he has configured his DNS server accordingly so that depending upon the source of the DNS request an appropriate IP address was provided for same DNS name. For example if user from IP address range 192.168.0.0 range connects to abc.com then it will get IP address 192.168.1.1 and if a user from range IP address10.0.0.0 connects then it will get 10.1.1.1.
  If we configure the same scenario as well then your requirement will be fulfiled with same name however VPN has to be enabled on wireless interface again. If not, then as you have described configuring a new domain name for VPN connection only for wireless users should do the deal.
  Regards,
  Anuj

• NAT support - how to obtain the public IP address?

  Hi
  I am developing an instant messenger in which users can start a conversation with another user through obtaining the IP address of the intended recipient from a mySQL database on the web server.
  This works fine within a local network. However, the address in the database upon user login is the private IP address within the LAN and not the global address - consequently my software cannot be used outside the LAN currently.
  Is it possible to use a method within the java.net library to send the public (global) address of the client to a server? And if so, how can I handle the ability to receive a reply from the server (which would arrive at the public IP the message was sent from, ie. the NAT firewall) so that it is delivered to the correct port and private IP on the client?
  Joe Barber

  If the server is on the public internet and the client is on a private network the server will see the public address and port, and can get it from a connected socket. Unfortunately if the nat box uses DHCP there is no guarantee that this will be the same next time, so persisting that value in a database is not a good idea. If both the client and server are behind nat gateways, they cannot directly establish calls. The better choice for these kind of systems is to run the server on the public internet on a well known address and have your clients connect to the server.
  You will find lots of discussion on the difficulties of nat and p2p on this forum and by looking in google.