Public ip address for asa

Similar Messages

• Multiple public IP Addresses on ASA 5505?

  Hi
  Is it possible to two or more public IP Addresses bound to a Cisco ASA 5505 running 8.4(2). If so, how?
  Thanks in advance for your help with my request.
  d

  Hello Douglas,
  you don't need to assign multiple IP-addresses - the trick is the MASK besides that you tell ASA where to find the default gateway.
  The rest is icing on a cake, and you achive this with the help of NAT.
  Lets say you're provided a network with a mask of 255.255.255.248, then nets, or subnets, jump on the number 8.
  1. net: X.X.X.0, with 7 being the broadcast, 1 the first usable (usually the DFGW) leaving you 5 addresses
  2. net: X.X.X.8, with 15 being the broadcast, 9 the first usable leaving you 5 addresses
  3. net: X.X.X.16, with 23 being the broadcast, 17 the first usable, leaving you 5 adresses
  and so forth
  Lets take the 3rd example here, and configure the outside interface with a mask of 255.255.255.248 and the address of X.X.X.18 (the first usable besides the DFGW), or X.X.X.22 (the last usable if 17 was taken by the DFGW) - we stick with 18.
  If you want your mail to be available through X.X.X.19 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.19 (create a object like "WAN-ADDRESS-19" and give it the address X.X.X.19, and don't forget the ACLs!).
  If you want your webservices to be available through X.X.X.20 create a NAT-rule where you reference from the inside (IP of your server etc.) to the outside with the address X.X.X.20 (create a object like "WAN-ADDRESS-20" and give it the address X.X.X.20, and don't forget the ACLs!).
  That all works through 1 cable, 1 interface assigned with the right MASK
  Hope that clears the skys?
  Pls, rate right answers!

• Public IP address for ERP system

  Hi,
  A SAP BC consultant gives me a small system landscape for ERP 6.0 and its info. as following:
    a. 1 Sol Man system, 1 ERP system for DEV, 1 ERP system for PRO.
    b. The Sol Man Server is for the ENTIRE SAP TECHNICAL LANDSCAPE in the single company.
    c. The entire SAP Landscape needs to be on a different SUBNET on a different Gigabit switch for optimum performance. The broadcast between 2 subnets will be handled via a router.
    d. A router with VPN Capabilities and 2-3 static public IP addresses (THIS IS A MUST).
  I don't know why I need 2-3 static public IP addresses if I don't public anything to Internet. Somebody tell me why?
  Thanks,
  Toan Do

  Hi,
  Its most prob for saprouter/connection to oss etc.
  Regards

• Customer wants a public IP address for RDP after VPN Tunnel

  I have a customer that wants to set up a VPN tunnel with me with a Public IP address and a Public address for the host. I am completely at a loss as to how to accomplish this. The customer states that it against his company policy to have a remote host to connect to that is not in the public address space. I have given him a public Peer address to connect to for the establishment of the VPN Tunnel. However he states that he needs the host to be in the public address space as well.
  What is my customer asking for? Surely he does not want me to put RDP on a public address?

  The motive of your customer is not very clear. If the motive is to hide the remote (RDP) addressess then we can do it by natting (Static or Dynamic). We can allow the natted IP as interested traffic over the VPN tunnel.  Because if we are getting the local IP into the public pool then it we don't need VPN tunnel. We can access it directly over internet too.

• Public IP Address for DA Teredo Edge Config

  Hi,
  We are configuring Direct Access for the first time on server 2012 R2.  We have setup and tested it fine on the single adapter ‘basic’ configuration but would like to configure it to use Teredo as it’s supposed to be faster.
  I have read that this requires two network adapters on the DA server, one configured for the intranet and the other configured for the public internet with two consecutive public IP addresses.
  My question is if i point the public DNS record to the first public IP address (E.g. DirectAccess.mydomain.com) what do I need to do with the second public IP?  I’m not clear what the second IP is used for?
  I have read the second IP could be something to do with certificates but it wasn’t very clear.  We will be using Direct Access with Windows 7 clients so already have an internal PKI installed for the DA single adapter setup.
  Also, I have read that even with the IP-HTTPS performance improvements in 2012 Teredo is still considerably faster (assuming the internet connection itself is fast enough).  Can anyone advice on speed differences between IP-HTTPS and Teredo?
  Thanks
  Alex

  Hi
  Since Windows Server 2012, you are allowed to deploy DirectAccess in multiple scenarios. I your situation, you have a single network interface. In this scenario, your DirectAccess Server have a single private IP address. Teredo can only be used in two network
  interface scenario. This is the only scenario you need two ipv4 public addresses.
  IPHTTPS performance is available since Windows Server 2012 but require at least Windows 8 to be used.
  Best regards.
  BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

• Getting public ip address for a lan

  hello is their a way to some how retrieve the public ip address of a lan? When i use the standard java get host method from a pc that's in a lan, all i get is the private lan ip address such has 192.x.x.x. this is useless to me if i want to make a connection to this computer from outside the lan.
  i want to be able to get the public ip so that i can transform my instant messenger program (LAN based) into the internet so that it clients can talk to eachother from all around the world like msn messanger.
  would they be a problem if say 5 users from the same LAN where logged into the program and one person from outside the lan wanted to talk to one of the people from the lan? seeing as all 5 lan users will have the exact same public ip address, is their a way to talk to teh correct user?
  The current state is that as soon as a user longs into the system, their ip address from the pc that they are using, is stored temporaily into a server so that if User A whats to talk to User B, User query the server to first find out if the user is online and than get their IP address and join User B,s listening socket using the ip address retieved from the server..

  import java.net.URL;
  import java.net.HttpURLConnection;
  import java.io.InputStreamReader;
  import java.io.BufferedReader;
  import java.io.InputStream;
  String publicIP = null;
              try {
                  URL tempURL = new URL("http://www.whatismyip.org/");
                  HttpURLConnection tempConn = (HttpURLConnection)tempURL.openConnection();
                  InputStream tempInStream = tempConn.getInputStream();
                  InputStreamReader tempIsr = new InputStreamReader(tempInStream);
                  BufferedReader tempBr = new BufferedReader(tempIsr);
                  publicIP = tempBr.readLine();
                  tempBr.close();
                  tempInStream.close();
              } catch (Exception ex) {
                  publicIP = "<Could-Not-Resolve-Public-IP-Address>";
              }

• What are the public IP addresses for Apple Update servers?

  I work for a school district and we would like to create a NAT rule in our firewall to make all traffic going out for Apple updates to use the same public IP (iPhones, iPads, Macs, etc). Does anyone know what Apple IP addresses I would need for that?
  This will be used to make all devices in our district go to the same Apple Caching Server.
  Thanks in advance.

  Hi,
  which book from the chapter you are refering to?
  If possible can you post the entire question so that we help you in identificying the correct address.
  Best to use the ip subnet calculator.
  http://www.vlsm-calc.net/
  http://www.subnet-calculator.com/cidr.php
  Regards
  Inayath

• Migration Accelerator - Public IP address requirement for Config Server and Process Server

  Currently, when installing the Migration Accelerator components, the Config Server's public IP address must be specified in several places.  In the released version of Migration Accelerator, could this be changed to allow customers to specify a public
  DNS domain name instead? Using a Public IP address for the Config Server in Azure represents a risk that this public IP may change (unless using the new Reserved VIP Capability in Azure) which could require reconfiguration of several MA components.  If
  a DNS name will not be supported in the released version of MA, then the documentation should be updated to step through provisioning a Reserved VIP for the Config Server in Azure.
  Similarly, if running the Process Server on Amazon AWS (in an Amazon AWS -> Azure migration scenario), either DNS names should be supported for the Process Server configuration or a reference in the document should be added to step through acquiring an
  Elastic IP Address for the Process Server.

  Thanks Keith for your feedback; we will update the document to reflect this.  We will look into improving this in functionality in the released version.
  Thx - Srinath  

• MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

  Hi All,
  We are configuring an ASA 5510 for remote VPN users using Any Connect.
  Our question is:
  We have a /29 block of public IP addresses and we want to configure 5 public IP addresses on the Outside interface so that VPN users can use different DDNS logins that terminate on one of the 5 addresses. 1 of the 6 hosts in the subnet is the gateway address to the ISP router.
  Any suggestions on how to best achieve this requirement.
  Regards,

  What are the different groups used for? Are that different companies or just different departments of one company?
  There are so many ways to achieve different VPN-Settings for the users and all of them only work with the one public IP-address your ASA has on the outside interface.
  One "typical" way to configure different VPN-settings for different users is the following:
  You configure one tunnel-group with the needed authentication-settings. The assigned group-policy only has the needed tunnel-protocol configured like sssl-client.
  For each department you configure one group-policy with all needed parameters like split tunnel, VPN-filter, banner, DNS/WINS-servers domain and so on.
  Your users get one of these group-policies assigned. That can be done with local authentication in the user-acount, or more scalable through a central RADIUS-server which can be the Windows NPS to authenticate the domain-users.

• Static NAT and same IP address for two interfaces

  We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
  static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
  static (production,Outside) 10.10.10.10  access-list production_nat_static_1
  Thanks for any help.
  Jeff

  Hi Jeff,
  Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Change Lync 2013 Edge Server Natted public ip addresses

  we changed public ip addresses for Lync 2013 edge. I changed only a/v edge service NAT-Enabled public ipv4 address to the new public ip address .
  published the topology
  run
  Invoke-CsManagementStoreReplication command
  restarted edge server.
  what else to do to solve it ?
  Error:
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.*****.com on port 5061.
  The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
  Additional Details
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

  Hi,
  Please re-run Step 2-Setup or Remove Lync Server Components after changing IP in topology.
  Kent Huang
  TechNet Community Support

• Multiple Public IP Addresses To Be Used For DMZ - ASA 5505 - IOS 8.4(2)

  I'm trying to figure out how to forward an IP address to my DMZ servers allowing me to use the ACL to control access to the servers within my DMZ interface (LAN).  I can't figure out if the ASA handles that automatically when a NAT rule is created, or maybe when an ACL is created, or do I need to add it when configuring the interface (outside)?  Ex: IP Address: 1.1.1.1, 2.2.2.2, 3.3.3.3
  Notes:
  - I'm using the ASDM but can use CLI if needed.
  - All IP address are fictitious of course.
  - I currently have a public IP address of 1.1.1.1 that is used for all traffic coming from the ASA (including my NATed inside traffic).
  - My local LAN subnet is 10.10.10.0/24.
  - My DMZ subnet for my servers is 10.10.20.0/24.
  - I have an IP address I want to use (public) of 2.2.2.2 that would be forwarded to my DMZed server of 10.10.20.2.
  - I have an IP address I want to use (public) of 3.3.3.3 that would be forwarded to my DMZed server of 10.10.20.3.

  Hi,
  I am not sure if I understood you correctly.
  Are you just asking how to configure Static NAT for your DMZ servers and allow traffic to them?
  If so the basic NAT configuration format would be
  object network SERVER-1
  host 10.10.20.2
  nat (DMZ,outside) static 2.2.2.2 dns
  object network SERVER-2
  host 10.10.20.3
  nat (DMZ,outside) static 3.3.3.3 dns
  The above 2 "object network" create the Static NAT between the internal private and external public IP addresses.
  access-list OUTSIDE-IN remark Allow traffic to DMZ servers
  access-list OUTSIDE-IN permit tcp any object SERVER-1 eq www
  access-list OUTSIDE-IN permit tcp any object SERVER-2 eq ftp
  access-group OUTSIDE-IN in interface outside
  The above creates an ACL which allows for example HTTP traffic to SERVER-1 and FTP traffic to SERVER-2. Finally the last command attaches the ACL to the "outside" interface. If you already have an ACL attached to the "outside" interface then you naturally use that one.
  Those are just simple examples.
  Please let me know if I understood you incorrectly if I missed something
  - Jouni

• How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

  How To Using Two Different Public IP Address on My DMZ with ASA 5520
  Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
  Hi everyone out there.
  can any one please help me regarding this situation that im looking for a solution
  My old range of public ip address are finished, i mean (the 41.x.x.0 range)
  So now i still need to have in my DMZ another two servers that will bring some new services.
  Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
  So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
  ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
  So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
  on Cisco ASA 5520 v8??
  How my configuration should look like?
  I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
  Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
  attached is my network diagram for a better understanding
  I thank every body in advance
  Jorge

  Hi,
  So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
  Now you have gotten a new public IP address range from the ISP and want to get it into use.
  How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
  To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
  So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
  Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
  Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
  Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
  Of the above ways
  The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
  The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
  Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
  I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
  - Jouni

• (ASA 5510) How do assign multiple public IP addresses to outside interface?

  Hi,
  I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first?  Please bare in mind I'm doing the config via ASDM.
  PS. everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
  Any help much appreciated as I really need to get this sorted by Sunday night!
  Jan

  ASA 5505 is slighly different to ASA 5510. ASA 5505 has switchport, while ASA 5510 has all routed ports, hence there is no need for VLAN assignment, unless you are creating a trunk port with sub interfaces.
  In regards to static NAT, which version of ASA are you running?
  For ASA version 8.2 and earlier (assuming that you name your inside interface: inside, and outside interface: outside):
  static (inside,outside) 123.123.123.125 192.168.0.3 netmask 255.255.255.255
  For ASA version 8.3 and above:
  object network obj-192.168.0.3
       host 192.168.0.3
       nat (inside,outside) static 123.123.123.125
  Also, with your inbound ACL, the behaviour also changes from ASA 8.2 and earlier compared to ASA 8.3 and above.
  For ASA 8.3 and above, you would need to configure ACL with the destination of the real IP (192.168.0.3), not the NATed IP (123.123.123.125).
  For ASA 8.2 and below, it is normally ACL with destination of NATed IP (123.123.123.125) for inbound ACL on the outside interface.
  Hope that helps.

• ASA 5520 : IP address for CSC SSM

  Hi All,
  I have an ASA 5520 with CSC SSM. I have base and plus license and want to activate it. T he IP address and gateway have to be configured on the CSC SSM. I have configured IP addresses for the INSIDE,OUTSIDE,DMZ and MGMT. The outside is a public IP address. Now for the CSC SSM what range should i give?
  There is an ISA server on the DMZ where all user IP's get PATed and on ASA this gets NATed on the ASA. Direct access to the internet exists for the servers (bypassing proxy).
  My basic doubt is about the IP address and gateway that the CSC SSM should have and is it related ot the management interface ip address?
  Thanks and Regards.
  Sonu

  Hi
  put your CSC ip address as outside interface subnet.because CSC needs automatic updates from internet.and you can able to manage CSC from remote itself.
  for EX
  your outside ip is 10.0.0.1/24,make CSC IP As 10.0.0.2/24,Gateway 10.0.0.1
  Hopes this helps
  regs
  S.Mohana sundaram