Multiple public IP addresses

Similar Messages

• Multiple public IP Addresses on ASA 5505?

  Hi
  Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2). If so, how?
  Thanks in advance for your help with my request.
  d

  Hello Douglas,
  you don't need to assign multiple IP-addresses - the trick is the MASK besides that you tell ASA where to find the default gateway.
  The rest is icing on a cake, and you achive this with the help of NAT.
  Lets say you're provided a network with a mask of 255.255.255.248, then nets, or subnets, jump on the number 8.
  1. net: X.X.X.0, with 7 being the broadcast, 1 the first usable (usually the DFGW) leaving you 5 addresses
  2. net: X.X.X.8, with 15 being the broadcast, 9 the first usable leaving you 5 addresses
  3. net: X.X.X.16, with 23 being the broadcast, 17 the first usable, leaving you 5 adresses
  and so forth
  Lets take the 3rd example here, and configure the outside interface with a mask of 255.255.255.248 and the address of X.X.X.18 (the first usable besides the DFGW), or X.X.X.22 (the last usable if 17 was taken by the DFGW) - we stick with 18.
  If you want your mail to be available through X.X.X.19 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.19 (create a object like "WAN-ADDRESS-19" and give it the address X.X.X.19, and don't forget the ACLs!).
  If you want your webservices to be available through X.X.X.20 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.20 (create a object like "WAN-ADDRESS-20" and give it the address X.X.X.20, and don't forget the ACLs!).
  That all works through 1 cable, 1 interface assigned with the right MASK
  Hope that clears the skys?
  Pls, rate right answers!

• MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

  Hi All,
  We are configuring an ASA 5510 for remote VPN users using Any Connect.
  Our question is:
  We have a /29 block of public IP addresses and we want to configure 5 public IP addresses on the Outside interface so that VPN users can use different DDNS logins that terminate on one of the 5 addresses. 1 of the 6 hosts in the subnet is the gateway address to the ISP router.
  Any suggestions on how to best achieve this requirement.
  Regards,

  What are the different groups used for? Are that different companies or just different departments of one company?
  There are so many ways to achieve different VPN-Settings for the users and all of them only work with the one public IP-address your ASA has on the outside interface.
  One "typical" way to configure different VPN-settings for different users is the following:
  You configure one tunnel-group with the needed authentication-settings. The assigned group-policy only has the needed tunnel-protocol configured like sssl-client.
  For each department you configure one group-policy with all needed parameters like split tunnel, VPN-filter, banner, DNS/WINS-servers domain and so on.
  Your users get one of these group-policies assigned. That can be done with local authentication in the user-acount, or more scalable through a central RADIUS-server which can be the Windows NPS to authenticate the domain-users.

• (ASA 5510) How do assign multiple public IP addresses to outside interface?

  Hi,
  I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first?  Please bare in mind I'm doing the config via ASDM.
  PS. everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
  Any help much appreciated as I really need to get this sorted by Sunday night!
  Jan

  ASA 5505 is slighly different to ASA 5510. ASA 5505 has switchport, while ASA 5510 has all routed ports, hence there is no need for VLAN assignment, unless you are creating a trunk port with sub interfaces.
  In regards to static NAT, which version of ASA are you running?
  For ASA version 8.2 and earlier (assuming that you name your inside interface: inside, and outside interface: outside):
  static (inside,outside) 123.123.123.125 192.168.0.3 netmask 255.255.255.255
  For ASA version 8.3 and above:
  object network obj-192.168.0.3
       host 192.168.0.3
       nat (inside,outside) static 123.123.123.125
  Also, with your inbound ACL, the behaviour also changes from ASA 8.2 and earlier compared to ASA 8.3 and above.
  For ASA 8.3 and above, you would need to configure ACL with the destination of the real IP (192.168.0.3), not the NATed IP (123.123.123.125).
  For ASA 8.2 and below, it is normally ACL with destination of NATed IP (123.123.123.125) for inbound ACL on the outside interface.
  Hope that helps.

• Multiple Public IP Addresses To Be Used For DMZ - ASA 5505 - IOS 8.4(2)

  I'm trying to figure out how to forward an IP address to my DMZ servers allowing me to use the ACL to control access to the servers within my DMZ interface (LAN).  I can't figure out if the ASA handles that automatically when a NAT rule is created, or maybe when an ACL is created, or do I need to add it when configuring the interface (outside)?  Ex: IP Address: 1.1.1.1, 2.2.2.2, 3.3.3.3
  Notes:
  - I'm using the ASDM but can use CLI if needed.
  - All IP address are fictitious of course.
  - I currently have a public IP address of 1.1.1.1 that is used for all traffic coming from the ASA (including my NATed inside traffic).
  - My local LAN subnet is 10.10.10.0/24.
  - My DMZ subnet for my servers is 10.10.20.0/24.
  - I have an IP address I want to use (public) of 2.2.2.2 that would be forwarded to my DMZed server of 10.10.20.2.
  - I have an IP address I want to use (public) of 3.3.3.3 that would be forwarded to my DMZed server of 10.10.20.3.

  Hi,
  I am not sure if I understood you correctly.
  Are you just asking how to configure Static NAT for your DMZ servers and allow traffic to them?
  If so the basic NAT configuration format would be
  object network SERVER-1
  host 10.10.20.2
  nat (DMZ,outside) static 2.2.2.2 dns
  object network SERVER-2
  host 10.10.20.3
  nat (DMZ,outside) static 3.3.3.3 dns
  The above 2 "object network" create the Static NAT between the internal private and external public IP addresses.
  access-list OUTSIDE-IN remark Allow traffic to DMZ servers
  access-list OUTSIDE-IN permit tcp any object SERVER-1 eq www
  access-list OUTSIDE-IN permit tcp any object SERVER-2 eq ftp
  access-group OUTSIDE-IN in interface outside
  The above creates an ACL which allows for example HTTP traffic to SERVER-1 and FTP traffic to SERVER-2. Finally the last command attaches the ACL to the "outside" interface. If you already have an ACL attached to the "outside" interface then you naturally use that one.
  Those are just simple examples.
  Please let me know if I understood you incorrectly if I missed something
  - Jouni

• Use multiple public IPs addresses

  Hello there!
  In my environment, I have four public IPs, and I have a TMG Firewall working.
  When I publish servers by TMG using one of my IP adresses, it works.
  But, when I use anyone else, it isn't work.
  I'm new in TMG Server, so I want to know if there is some setting to do to use other public IP adresses to publish servers by TMG.
  Thanks in advance.
  Lucas Gustavo

  Hi,
  You don't need any additional configuration apart from creating a Server Publishing Rule or (Secure) Web Publishing Rule. Can you be a bit more specific? Some questions:
  - Does your TMG have one or two network interfaces?
  - Have you configured all four IP Addresses manually on the interface with the same subnet mask?
  - What are you trying to publish
  - When you create a Server-/Web Publishing Rule, do you select a specific IP Address or All IP Addresses?
  Boudewijn
  Boudewijn Plomp, BPMi Infrastructure & Security | Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".

• How to route Multiple static IP addresses

  I have 5 static public IP addresses from Comcast Business. I need to host 3 low-volume web sites with distinct domain names which map to unique public IP addresses. I have all three web sites on one computer.
  Linksys has told me it can be done (but has NO useful support); and Comcast has told me it can be done. I've searched high & low on forums for a solution but can't find one.
  Equipment: 
     Linksys WRT300N router
     Webserver is Windows 2003 with 3 NIC cards
     Cable Modem is an SMC 8014
     Cable Provider: Comcast Businesss
  I already have the router set up for a Static IP and have entered my first public IP address, cable modem gateway and DNS servers. I have also port-forwarded port 80 to the web server.  One web site works fine.
  My question is: How can I route the other 4 ip addresses to the web server?
  TIA,
  bert

  If you already have set up the forwarding and it does not work for those other IP addresses, then it can't be done with your router. You'll need a router which supports one-to-one nat which allows you to map multiple public IP addresses to LAN IP addresses.

• HT5590 Use caching server with multiple public Addresses?

  According to the Apple documentation, to use the caching server, all clients need to share the same public address via nat. On my network with many macs, this would appear to make the caching service useless, as we have multiple public addresses to which our clients are nat'ed (a full class C, to be exact). Is there anyway around this restriction, or am I simply going to be unable to use what looks like it would be a highly usefull service?

  Yes, the multiple internal/private subnets mapping to a single public IP is very common in the education/enterprise arena. It is the basic hub-spoke topology:
  where all spokes connect to needed resources at the hub, and only the hub is connected to the Internet. In the case of K-12 education, we need to run a content filter (by Federal rules) on student Internet connectivity. The most efficient way to do that is to locate the filter (along with other servers and resources) at the hub and then route all Internet traffic through the hub. Each spoke (and the hub) is a different internal/private network subnet ... 10.65.x.x, 10.66.x.x, etc. In my case I have 3M from each spoke to the hub, and then 45M from the hub to the Internet.
  In the "old" days ... pre 10.8 ... we had (and still have for some of our oler 10.4 computers) a software update server at each spoke, and computers at each spoke were configured (with the Apple software update script) to get their updates from the update server at their spoke ... iApps as well as OS apps. This worked perfectly!
  Now that Apple, in their Orwellian attempt to monitor and control iApps, has introduced this "either-or" attitude about using a local update server OR caching server  (but not giving you the option to get iApps from the local update server) they have really hurt schools like mine. Without being able to serve all updates locally on each spoke, updating becomes impossible when you are tryiing to udpate a lab full of computers, and the iApp alone is 1.2G for EACH computer ...and now it must come from the Internet since the caching server is 'broken.'
  I currently have case open with Apple Enterprise Support, and will now also get my K-12 Apple Support Tech invloved. I will share this info with them. Perhaps there is some solution that I do not know about, or perhaps there will be a solution created by Apple for situations like mine. I can't see being the only one with this problem, I just think that I may be one of the first to notice it due to my limiited bandwith situation.
  Thanks for your insight. Your original post got me thinking and enabled me to identify what *I* feel is the problem. I will keep this thread updated.
  M:>

• Configure RRAS with multiple public STATIC IP address

  <p>I have Server 2012 Standard edition. &nbsp;I have two network cards installed. &nbsp;I have configure my server to be my router aka NAT BOX using Server 2k12 RRAS. We recently added more servers to our internal network. We needed more
  Public Static IP address. Currently we had one and then upgrade to 5 with Time Warner. I configure my WAN NIC card on the server with the new Static IP address from TIME WARNER. How do I add the remaining ones to RRAS. THen i can use services tab to add that
  static IP address with this port to that internal ip address which happens to be another server. &nbsp;</p><p>Currently when I add to the address pool tab couple my PC or servers gets kicked off the internet especially when I add the service
  port and the public ip address from the public ip address pool and the internal ip address and the internal port.&nbsp;</p><p></p><p>Anyhow, what i am trying achieve here is NAT the remaining public IP Address to an internal ip
  address. Only a certain ports such as SMTP Port, VPN port, pop3 port, HTTP port HTTPS ports. &nbsp;Can someone help me configure this on RRAS on server 2012</p>

  how can i do port forwarding with the address pool of public static IP address.  Currently my  Server 2012 is my acting router. I have NIC cards on there. One of the NIC is connected to the Cable Modem and the other NIC card is connected to the
  switch. How can I use port forwarding with the other remaining public IP address.  The reason is I have two exchange server in my internal network. Both can't be using the same ports so I got more public IP addresses. I just want to configure my RRAS
  port forward 80, 443, 25, 110, 143 to both exchange server who have an internal ip address. In order to achieve that I need to have two public IP address. 
  Tell me if there is a solution. 

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• Multiple Public IP Routing

  our isp had assigned /29 range ip address to us. These ip address are mapped to private ip using nat. We ran out of this public ip and requested our isp to assign new range of public ip, they assigned /29 range
  we have an web server that host about 10 websites each website  is binded with private ip address public to private address mapping is done using NAT. we have an requirement that 2 website in that web server should have public ip binded to the website. i know the assignment of multiple address can be done by going to Advanced settings of tcp/ip property.
  Internet->(Pub IP)router(Pub IP)->(pub ip)ASA(priv IP)->switch->server   
  my question is that in ASA side where should i assign new range of public ip address and how to configure the route 
  please help me
  Thanks,
  Vinay 

  as I remember ASA do not support secondary IP address
  so you need second ASA or two context in your ASA

• Multiple Public IP's on one physical interface for devices behind Router.

  Hi guys, I am trying to find information on applying multiple IP addresses to a router
  basically one for the Router itself and then some for the devices behind the router, Which i am sure I need to apply some 1 to 1 NATs. I just do not know if i need to specify all the IP addresses on the main interface.
  Example being I have a router with WAN ip of xxx.xxx.xxx.xxx/25 , it only has 2 interface one for WAN one for LAN, i have a server I would like assigned its own public IP address.  but still on the same LAN network.
  Could someone help me out and point me in the right direction with a sample config

  I agree with the previous response that you need a static NAT to allow outside resources to initiate traffic to your server. You also will need NAT or PAT using the router interface address to allow the other hosts in your network to access outside.
  You do not need to configure any other of the addresses on the router interface other than the primary IP that you assign to the router interface. As long as the other addresses are used for NAT/PAT they are configured in the nat statements and not on the physical interface.
  HTH
  Rick

• How to configure ASA5512X DMZ with a Public IP address?

  Hi;
  I hav a ASA5512X firewall with 6 interface, interface 0 has been assigned to a WAN connectivity with ADSL, in which my ISP gave me two static IPs (not a block range of IP), my ISP mapped the Mac address of an interface to a ip address, this is what they called "Dynamice-Static" which is likely you research a mac address of an device on DHCP server, then it always giving you the same ip address.
  Here is the scenario, in order to have the 2nd static IP, I need to give them the mac address of another interface on ASA5512x.  I am thinking to give them the interface mac address of interface #3,  however; the public ip address assigned to interface 0 is a WAN and the public ip address assigned to interface 3 will be on the same subnet from ISP, in this scenario, any problem and limitation, also; can I create a nat to translate the public ip on DMZ to one of the host in inside LAN?

  What are you trying to do? What is the purpose of the second public ip? You can use that guy for any number of things. One to one NAT for one thing or another is most common [mail server, web server, RDP terminal, ect]. All of those would go over the same interface to get out to the internet.
  Dynamic-Static is PAT. One IP address, multiple clients using different ports. Simliar to NAT, but different in how the translation is handled.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html#wp1078939
  SOOOO To answer what you are asking, just give them the MAC of the Interface 0. You can't have overlapping IPs on the interfaces. Won't work. Also if nothing is plugged into that interface, that IP won't do you any good. You could have a DMZ switch that your ASA and ISP link into, and have that second IP assigned to a device you plug into that DMZ switch. I've had to do that with some VCS servers to get Jabber working on it.

• Netopia 4686XL USA Public IP address to Linksys WRTU54G-TM for Netflix USA IP

  I have a stack of public IPs on my Ethernet router Netopia 4686XL which is on a T1 connection in USA, I have multiple Linksys routers model WRTU54G-TM(T-Mobile @Home Router) Which I use as router at various locations other than my office. I would like to get an Public IP from my office Ethernet router(Primary router on a Static IP with T1 Speed) to get one of the public IP address on my Netfilx device through Linksys router which is at remote location with various ISPs(Cable vision, Optimum online, Verizon FIOS, Vidiotron.ca CANADA, Airtel INDIA, BSNL INDIA, And more) where I have Basic internet service. I want to get the USA IP address from my office Location so i can overcome the issue of Netflix. There is the Advance routing in Linksys router (»192.168.1.1/Advanced-Routing-Router.htm) Where I should be able to point the the public IP using static ip routing but do not know how to configure. I have setup static address on Linksys client so the device will always be on the Private address 192.168.1.100. Step by Step directions will be helpful due to many hours of research without any success.

  Nick0618 wrote:
  I have a stack of public IPs on my Ethernet router Netopia 4686XL which is on a T1 connection in USA, I have multiple Linksys routers model WRTU54G-TM(T-Mobile @Home Router) Which I use as router at various locations other than my office. I would like to get an Public IP from my office Ethernet router(Primary router on a Static IP with T1 Speed) to get one of the public IP address on my Netfilx device through Linksys router which is at remote location with various ISPs(Cable vision, Optimum online, Verizon FIOS, Vidiotron.ca CANADA, Airtel INDIA, BSNL INDIA, And more) where I have Basic internet service. I want to get the USA IP address from my office Location so i can overcome the issue of Netflix. There is the Advance routing in Linksys router (»192.168.1.1/Advanced-Routing-Router.htm) Where I should be able to point the the public IP using static ip routing but do not know how to configure. I have setup static address on Linksys client so the device will always be on the Private address 192.168.1.100. Step by Step directions will be helpful due to many hours of research without any success.
  Hi there. Static Routing is actually possible but only through a local network. May I ask, what is the issue you are having by the way with Netflix?

• Public IP Address for DA Teredo Edge Config

  Hi,
  We are configuring Direct Access for the first time on server 2012 R2.  We have setup and tested it fine on the single adapter ‘basic’ configuration but would like to configure it to use Teredo as it’s supposed to be faster.
  I have read that this requires two network adapters on the DA server, one configured for the intranet and the other configured for the public internet with two consecutive public IP addresses.
  My question is if i point the public DNS record to the first public IP address (E.g. DirectAccess.mydomain.com) what do I need to do with the second public IP?  I’m not clear what the second IP is used for?
  I have read the second IP could be something to do with certificates but it wasn’t very clear.  We will be using Direct Access with Windows 7 clients so already have an internal PKI installed for the DA single adapter setup.
  Also, I have read that even with the IP-HTTPS performance improvements in 2012 Teredo is still considerably faster (assuming the internet connection itself is fast enough).  Can anyone advice on speed differences between IP-HTTPS and Teredo?
  Thanks
  Alex

  Hi
  Since Windows Server 2012, you are allowed to deploy DirectAccess in multiple scenarios. I your situation, you have a single network interface. In this scenario, your DirectAccess Server have a single private IP address. Teredo can only be used in two network
  interface scenario. This is the only scenario you need two ipv4 public addresses.
  IPHTTPS performance is available since Windows Server 2012 but require at least Windows 8 to be used.
  Best regards.
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx