Using a second Public IP Address:

Similar Messages

• How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

  How To Using Two Different Public IP Address on My DMZ with ASA 5520
  Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
  Hi everyone out there.
  can any one please help me regarding this situation that im looking for a solution
  My old range of public ip address are finished, i mean (the 41.x.x.0 range)
  So now i still need to have in my DMZ another two servers that will bring some new services.
  Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
  So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
  ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
  So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
  on Cisco ASA 5520 v8??
  How my configuration should look like?
  I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
  Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
  attached is my network diagram for a better understanding
  I thank every body in advance
  Jorge

  Hi,
  So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
  Now you have gotten a new public IP address range from the ISP and want to get it into use.
  How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
  To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
  So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
  Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
  Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
  Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
  Of the above ways
  The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
  The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
  Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
  I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
  - Jouni

• ACE:LB several https services using same client(public) IP address

  Works perfectly with http but doesn't with https:
  class-map type http loadbalance match-all domain_mysite2
    2 match http header Host header-value "www.mysite2.com"
  class-map match-any vip_http
    2 match virtual-address 192.168.99.100 tcp eq www
  class-map match-any vip_https
    2 match virtual-address 192.168.99.100 tcp eq https
  policy-map type loadbalance first-match L7_policymap
    class domain_mysite2
      serverfarm sfarm_SFARM2
    class class-default
      serverfarm sfarm_SFARM1
  policy-map multi-match L4_policymap
    class vip_http
      loadbalance vip inservice
      loadbalance policy L7_policymap
      loadbalance vip icmp-reply active
    class vip_https
      loadbalance vip inservice
      loadbalance policy L7_policymap
      loadbalance vip icmp-reply active
  Need urgent help.

  Hi Antonio,
  Have a look at this below as well for details.
  Example of an SSL Termination Configuration
  The following example illustrates a running configuration of the ACE acting as an SSL proxy server; terminating SSL or TLS connections from a client and then establishing a TCP connection to an HTTP server. When the ACE terminates the SSL or TLS connection, it decrypts the cipher text from the client and transmits the data as clear text to the HTTP server. The SSL termination-specific configuration elements appear in bold in the example.
  access-list ACL1 line 10 extended permit ip any any
  probe https GEN-HTTPS
    port 80
    interval 50
    faildetect 5
    expect status 200 200
  rserver SERVER1
    ip address 172.27.16.11
      inservice
  rserver SERVER2
    ip address 172.27.16.12
      inservice
  rserver SERVER3
    ip address 172.27.16.13
      inservice
  rserver SERVER4
    ip address 172.27.16.14
      inservice
  serverfarm host SFARM1
    description SERVER FARM 1 FOR SSL TERMINATION
    probe GEN-HTTPS
    rserver SERVER1 80
      inservice
    rserver SERVER2 80
      inservice
  serverfarm host SFARM2
    description SERVER FARM 2 FOR SSL TERMINATION
    probe GEN-HTTPS
    rserver SERVER3 80
      inservice
    rserver SERVER4 80
      inservice
  parameter-map type ssl PARAMMAP_SSL_TERMINATION
    cipher RSA_WITH_3DES_EDE_CBC_SHA
    cipher RSA_WITH_AES_128_CBC_SHA priority 2
    cipher RSA_WITH_AES_256_CBC_SHA priority 3
    version all
  parameter-map type connection TCP_PARAM
    syn-data drop
    exceed-mss allow
  ssl-proxy service SSL_PSERVICE_SERVER
    ssl advanced-options PARAMMAP_SSL_TERMINATION
    key MYKEY.PEM
    cert MYCERT.PEM
  class-map type http loadbalance match-all L7_SERVER_CLASS
    description Sticky for SSL Testing
    2 match http url .*.jpg
    3 match source-address 192.168.130.0 255.255.255.0
  class-map type http loadbalance match-all L7_SLB-HTTP_CLASS
    2 match http url .*
    3 match source-address 192.168.130.0 255.255.255.0
  class-map match-all L4_SSL-TERM_CLASS
    description SSL Termination VIP
    2 match virtual-address 192.168.130.11 tcp eq https
  policy-map type loadbalance first-match L7_SSL-TERM_POLICY
    class L7_SERVER_CLASS
      serverfarm SFARM1
      insert-http I_AM header-value "SSL_TERM"
      insert-http SRC_Port header-value "%ps"
      insert-http DEST_IP header-value "%id"
      insert-http DEST_Port header-value "%pd"
      insert-http SRC_IP header-value "%is"
    class L7_SLB-HTTP_CLASS
      serverfarm SFARM1
      insert-http I_AM header-value "SSL_TERM"
      insert-http SRC_Port header-value "%ps"
      insert-http DEST_IP header-value "%id"
      insert-http DEST_Port header-value "%pd"
      insert-http SRC_IP header-value "%is"
  policy-map multi-match L4_SSL-VIP_POLICY
    class L4_SSL-TERM_CLASS
      loadbalance vip inservice
      loadbalance policy L7_SSL-TERM_POLICY
      loadbalance vip icmp-reply
      ssl-proxy server SSL_PSERVICE_SERVER
      connection advanced-options TCP_PARAM
  interface vlan 120
    description Upstream VLAN_120 - Clients and VIPs
    ip address 192.168.120.1 255.255.255.0
    fragment chain 20
    fragment min-mtu 68
    access-group input ACL1
    nat-pool 1 192.168.120.70 192.168.120.80 netmask 255.255.255.0 pat
    service-policy input L4_SSL-VIP_POLICY
    no shutdown
  ip route 10.1.0.0 255.255.255.0 192.168.120.254
  Regards,
  Kanwal

• (ASA 5510) How do assign multiple public IP addresses to outside interface?

  Hi,
  I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first?  Please bare in mind I'm doing the config via ASDM.
  PS. everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
  Any help much appreciated as I really need to get this sorted by Sunday night!
  Jan

  ASA 5505 is slighly different to ASA 5510. ASA 5505 has switchport, while ASA 5510 has all routed ports, hence there is no need for VLAN assignment, unless you are creating a trunk port with sub interfaces.
  In regards to static NAT, which version of ASA are you running?
  For ASA version 8.2 and earlier (assuming that you name your inside interface: inside, and outside interface: outside):
  static (inside,outside) 123.123.123.125 192.168.0.3 netmask 255.255.255.255
  For ASA version 8.3 and above:
  object network obj-192.168.0.3
       host 192.168.0.3
       nat (inside,outside) static 123.123.123.125
  Also, with your inbound ACL, the behaviour also changes from ASA 8.2 and earlier compared to ASA 8.3 and above.
  For ASA 8.3 and above, you would need to configure ACL with the destination of the real IP (192.168.0.3), not the NATed IP (123.123.123.125).
  For ASA 8.2 and below, it is normally ACL with destination of NATed IP (123.123.123.125) for inbound ACL on the outside interface.
  Hope that helps.

• Multiple Public IP Addresses To Be Used For DMZ - ASA 5505 - IOS 8.4(2)

  I'm trying to figure out how to forward an IP address to my DMZ servers allowing me to use the ACL to control access to the servers within my DMZ interface (LAN).  I can't figure out if the ASA handles that automatically when a NAT rule is created, or maybe when an ACL is created, or do I need to add it when configuring the interface (outside)?  Ex: IP Address: 1.1.1.1, 2.2.2.2, 3.3.3.3
  Notes:
  - I'm using the ASDM but can use CLI if needed.
  - All IP address are fictitious of course.
  - I currently have a public IP address of 1.1.1.1 that is used for all traffic coming from the ASA (including my NATed inside traffic).
  - My local LAN subnet is 10.10.10.0/24.
  - My DMZ subnet for my servers is 10.10.20.0/24.
  - I have an IP address I want to use (public) of 2.2.2.2 that would be forwarded to my DMZed server of 10.10.20.2.
  - I have an IP address I want to use (public) of 3.3.3.3 that would be forwarded to my DMZed server of 10.10.20.3.

  Hi,
  I am not sure if I understood you correctly.
  Are you just asking how to configure Static NAT for your DMZ servers and allow traffic to them?
  If so the basic NAT configuration format would be
  object network SERVER-1
  host 10.10.20.2
  nat (DMZ,outside) static 2.2.2.2 dns
  object network SERVER-2
  host 10.10.20.3
  nat (DMZ,outside) static 3.3.3.3 dns
  The above 2 "object network" create the Static NAT between the internal private and external public IP addresses.
  access-list OUTSIDE-IN remark Allow traffic to DMZ servers
  access-list OUTSIDE-IN permit tcp any object SERVER-1 eq www
  access-list OUTSIDE-IN permit tcp any object SERVER-2 eq ftp
  access-group OUTSIDE-IN in interface outside
  The above creates an ACL which allows for example HTTP traffic to SERVER-1 and FTP traffic to SERVER-2. Finally the last command attaches the ACL to the "outside" interface. If you already have an ACL attached to the "outside" interface then you naturally use that one.
  Those are just simple examples.
  Please let me know if I understood you incorrectly if I missed something
  - Jouni

• Public ip address can't be used locally to access hosted websites

  I have snow leopard server and I have successfully set up the server to be accessible via a public static ip address. Im hosting some test websites, and cannot access those sites locally using the public ip address, only using the private ip address. However, externally, I can access the sites using the public ip address.
  In other words, while I'm at the office, I can only view the sites using the private ip address and not the public ip address. However, while I'm at home I can see the sites using the public ip address.
  Why can't I access the public ip address locally?
  I'm new to os x server ... New to any kind of server for that matter, so please keep explanations simple.
  I'm at a serviced office, and the router here is not mine and I have no control over it. Some IT company manages it for the site, and they weren't very helpful. The basically told me there's nothing they can do and blamed Mac os x server - since they could just wash their hands of the matter since they don't deal with macs.
  I was told by someone else, that this is common issue with some routers and that they could fix the issue on their end, but don't want to do it for what ever reason.
  I could simply access the sites using the private ip address, but I'd rather use the public one as this is currently causing issues with some of the software we're using.
  Any ideas how to resolve this?

  The IT company (shock, horror) apparently doesn't understand IP routing, or didn't understand what you were asking. This case has nothing to do with Mac OS X nor Mac OS X Server, and everything to do with the capabilities of the gateway box.
  I'm here going to refer to the firewall / gateway / router / DHCP server / box at the edge of your network as a gateway, because I really don't want to type all that stuff each time I describe this box. Your particular box might or might not be capable of all that.
  Why? Likely because your particular gateway device is not capable of detecting and reflecting the connections back toward the target server.
  IP routing. In small words.
  If an IP address is within a range of IP addresses designated by the subnet mask, the packet goes directly to the target host.
  If an IP address is not within that range, the packet is sent to the gateway.
  The gateway will then send the packet to the next router on the way to the target. With a typical low cost firewall gateway box, that next router is likely the ISP's routers. With a somewhat higher-end box and with a smarter router within the gateway, the packets can go to other IP routers.
  If the gateway is implemented for it, the gateway router's own address(es) will be recognized, and reflected back inwards. That means the address is public IP address on the way out, and is NAT'd when reflected, and sent back at the target host via whatever local processing rules or local port-forwarding rules might be defined and present within the gateway box.
  Now what usually happens here ([once you get the hang of setting up DNS services|http://labs.hoffmanlabs.com/node/1436]) is called split-horizon DNS, and that's where your public DNS domain is also mostly-duplicated as one of the domains on your LAN and thus reachable in your LAN domain, and your local DNS server in your Mac OS X Server is then configured to return a private IP address (and one within the range of addresses defined by your IP subnet mask), and which entirely bypasses your gateway and allows the packet to go directly to the target box. Put another way, with split-horizon DNS, you insinuate your LAN DNS server into the network and configure it to pass out (or spoof) IP name-to-address translations for your public DNS names, and pass out local (direct, LAN, private) IP addresses.
  The other option is to see if the IT company can switch the gateway box into what's usually called "bridged" mode, or swap in a box that acts as a bridge and not a router, and to install your own gateway behind it. Not all boxes permit that, but some do.

• BPF Package Manager won't open in remote connection using Public IP address

  I have a problem to open BPF package manager.
  Im able to open bpf package manager in my server and to all local bpc users but on the remote connection (vpn/web) they couldn't open the bpf.
  Our server uses an private Ip address which is 10.1.25.81 (local LAN) but we also access BPC remotely using an
  Public IP address (202.129.238.46 or http://servername.example.com/osft ) using a configuration of IP Forwarding in our router.
  example:
  (LAN)
  User 1 on System 1 - does the BPF work?yes
  User 1 on System 2 - does the BPF work?yes
  User 2 on System 1 - does the BPF work?yes
  User 2 on System 2 - does the BPF work?yes
  (WAN/VPN)
  User 1 on System 1 - does the BPF work?no
  User 1 on System 2 - does the BPF work?no
  User 2 on System 1 - does the BPF work?no
  User 2 on System 2 - does the BPF work?no

  When you are performing installation of BPC or after if you are looking into Server Manager - Server Option you will see for application server, web server and reporting services server you have two fields where you can specify name for internal and nae Example for application server:
  Application  Server name: FQDN (or IP)
  External Application Name: FQDN (or IP)
  Normally we recommedn to use FQDN (Fully qualified DNS name)
  because if the DNS entry are set correct then you will be able to connect from internal and also from external without any problem.
  The system will provide every time the correct IP.
  In my opinion you used IP and the problem it is that internal the external IP is not recognized.
  Please verify the configuration and provide more information about the landscape.
  Only in this way we will be able to provide you the right sugestions to fix this issue.
  Kind Regards
  Sorin Radulescu

• HT2500 how do I use Mail when I have a second e-mail address?

  How do I use Mail when I have a second e-mail address?

  If you are running Snow Leopard:
  Go under the Mail menu and choose Preferences, then choose the Accounts tab.  Under the box on the left you will see a + , click on it.  This will add a new account.  Now you must put in all the information needed to access that account. 

• Configure WRT54G Wireless Router with PUBLIC IP address and use DHCP for internal computers

  Hi,I have an Internet online service with 5 public IP addresses. The router and the AP are connected to a switch. I would like to configure a WRT54G wireless router with one of this IP public Address and use DHCP (with private ip address)  for the computers that will connect to the AP. As the AP is connected to the switch it is possible that other wired computers that are connected to the same switch can obtain an IP address from the DHCP ?
   Thansk in advance
   

  Thanks for your help. Please correct me if Im wrong. After connecte the equipments the way you suggestI setup a static IP address (The public IP)  in the WRT54GI enable DHCP in the WRT54G with a range from 10.10.0.100 to 10.10.0.200 (as an example) The gateway is the Public IP address right ? How do I route the 10.10.0.x addresses to the public IP address. Thansk again 

• I have two itunes accounts because I used a second email address by mistake as an id.  Can I merge them?

  I have two iTunes accounts because I used a second email id by mistake years ago and have lived with it ever since.  How can I merge them to access all my music in one place?

  no way yet.

• Create public facing web site of SharePoint intranet portal with Public IP Address

  Hi,
  I did below steps to create public facing URL and to access outside domain network (Internet).
  1. Got a public IP Address.
  2. Created an extending web application to existing Web Application (default zone - intranet) and Zone selected to Internet and host header given test.contoso.com.
  3. Went to IIS and edit binding of Internet site. Provided public IP Address in 'IP Address' textbox and given host name as test.contoso.com. 
  Above are the 3 steps used to get access http://test.contoso.com in internet. But unable to access it and not seen any relavant message.
  Please help me and provide me steps to achieve.

  Did you actually register the contoso.com address on the Internet?  And is it associated with the public IP Address?  To access SharePoint from the Internet you are going to use http://test.contoso.com.  The Internet DNS servers need to be
  able to resolve that to your Public IP in order to find the SharePoint server.
  Second, did you bind your external IP address to one of the network cards on your SharePoint server?  Or is your Firewall or other gateway device forwarding traffic to the SharePoint server at that address?
  Another problem you may have is whether that Internet IP address is even reachable on your internal network from the Internet.  Most companies have Firewalls inplace to keep external users from accessing addresses inside your network.
  It sounds like you've done all the SharePoint configuration correctly, but you also need to make sure that TCP/IP is correctly configured.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• How can i use a second router to replace verizon fios router?

  Okay so just as the title says how do i use a second router? I got a cisco valet router... I don't know how to use it because the verizon router/modem is wierd i know how to use a router if i only had a modem but fios gives router/modem so how can i use my 2nd router? The current verizon fios router/modem is b/g mode and i wanna change to b/g/n so i can get a better speed from my internet... SO how can i use my 2nd router? I tried this http://www.dslreports.com/faq/verizonfios/3.0_Networking#12506 but i don't get it can someone guide me better or make a video explaination on how to use a 2nd router? I have it connected with see as in pic i connect from my router Internet port to wan port and the ethernet lan port to the ethernet lan port on verizon fios and no work please help...

  OK, so with this, we have a few options. You appear to have a MoCa connection to the ONT, hence the coaxial cable being present.
  1: The ActionTec can be bridged to the Valet router. This will not require any additional cabling, however it will require a small amount of work to have working. You will also require the ActionTec still in the mix, even though it will not be acting as a router anymore with this configuration.
  Visit http://www.dslreports.com/faq/16077 and look at Option 4. There is a thread linked that will allow you to set up the ActionTec as just a MoCa bridge, and will pass the Public IP to your router. You will, in order for this to work once the ActionTec is bridged, need to connect the cable from your Valet router's Internet port, to the ActionTec's LAN port and nothing else goes to the ActionTec. From this point, your Valet should run as your primary and everything should connect through your Valet. If you are adding another router, a Netgear N300, you should perform the LAN to LAN setup, which we will talk about once you've got the Valet working correctly. LAN to LAN configs require a custom setup, so do not set up the Netgear for now.
  2: This is my preferred method, which would be to run an Ethernet cable to the ONT. Option 6 in the FAQ. This will require spaking to Verizon to have them move your ONT to Ethernet, but once they do this, you can disconnect the Coaxial Cable from your ActionTec router, and plug in your CAT5/CAT6 cable from the ONT to the ActionTec's Internet/WAN port. Use the ActionTec to ensure everything is working after the switchover, and once off the phone, log into the ActionTec, perform a DHCP Release, and then prompty power off the ActionTec. Once this is done, plug the CAT6 cable into your Valet router's Internet port. You should from this point, be able to connect to the Cisco, and if the DHCP Lease was broken successfully, the Cisco should begin serving up your Internet connection. If it does not, leave the Cisco powered off for a few hours to break the DHCP lease, and then power it up. If the Valet does not work, still, give the Valet a factory reset and set up this router again, with the Ethernet cable from the ONT connected to it.
  I would just take a good luck at the FAQ linked above again, and see what would work the best. Easiest thing to do is to get the ONT moved to Ethernet, which allows you to eliminate the ActionTec unless you need it in the future for TV service, and also allows you to use any router with ease.
  Once the Valet is up and running and holds your Public IP address from Verizon (use http://whatismyip.com/ to determine this) , and also serves up IPs to devices on your network, post back and we can help you set up the Netgear. If you have any issues while setting this up, fall back to the ActionTec. It's factory reset will work without configuration needed, regardless of you being on Coax or Ethernet.
  ========
  The first to bring me 1Gbps Fiber for $30/m wins!

• How to configure ASA5512X DMZ with a Public IP address?

  Hi;
  I hav a ASA5512X firewall with 6 interface, interface 0 has been assigned to a WAN connectivity with ADSL, in which my ISP gave me two static IPs (not a block range of IP), my ISP mapped the Mac address of an interface to a ip address, this is what they called "Dynamice-Static" which is likely you research a mac address of an device on DHCP server, then it always giving you the same ip address.
  Here is the scenario, in order to have the 2nd static IP, I need to give them the mac address of another interface on ASA5512x.  I am thinking to give them the interface mac address of interface #3,  however; the public ip address assigned to interface 0 is a WAN and the public ip address assigned to interface 3 will be on the same subnet from ISP, in this scenario, any problem and limitation, also; can I create a nat to translate the public ip on DMZ to one of the host in inside LAN?

  What are you trying to do? What is the purpose of the second public ip? You can use that guy for any number of things. One to one NAT for one thing or another is most common [mail server, web server, RDP terminal, ect]. All of those would go over the same interface to get out to the internet.
  Dynamic-Static is PAT. One IP address, multiple clients using different ports. Simliar to NAT, but different in how the translation is handled.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html#wp1078939
  SOOOO To answer what you are asking, just give them the MAC of the Interface 0. You can't have overlapping IPs on the interfaces. Won't work. Also if nothing is plugged into that interface, that IP won't do you any good. You could have a DMZ switch that your ASA and ISP link into, and have that second IP assigned to a device you plug into that DMZ switch. I've had to do that with some VCS servers to get Jabber working on it.

• Adding a Second Public IP Range

  Our current environment is configured as follows and is in the attached image.  We have two routers on the front end that are running BGP with three different ISP's.  Each ISP connects to a different interface on our routers.  The ISP interfaces use ISP supplied /30 IP's.  Our existing ARIN IP block is advertised out BGP and assigned to the inside interface of each router.  We run iBGP and GLBP on the routers inside interfaces.  We are close to using up our /24 block of ARIN assigned IP's.  We have received a new /24 block of ARIN assigned IP's that we want to use along with the existing /24 block.  What is the best way to add the new /24 block of IP's to our routers?  Do I need to assign them as a second IP to each router's inside interface?  Or, can I just advertise the new block out of BGP and add a static route to route the new block out the inside interfaces and not assign any secondary IP's to the inside interfaces?

  You won't be able to port forward the same port on the same public IP to different local IPs  because the router will have no way of knowing which local IP it is meant for.
  But what you could do is use your existing IP for one of the translations and the second IP for the other eg.
  ip nat inside source static tcp 192.168.5.10 5060 interface gi0/1 5060
  where gi0/1 is the outside interface and then
  ip nat inside source static tcp 192.168.5.11 5060 <unused public IP> 5060
  In terms of how it works with the second public IP the ISP has a router with an IP from the same public IP range. So when traffic gets to ISP router inbound from the internet the ISP router requests the mac address of the public IP.
  Your router performs proxy arp for that public IP so it responds with the mac address of it's outside interface.
  This means that traffic for that IP is sent to your router.
  Jon

• "Share A Public IP address" Apple Utility Internet Connection

  After following advice in another thread I've gotten rid of some home network problems that started dogging me last Friday. I got rid of a Netgear router that was evidently causing IP problems with the Extreme.
  I've had to re-set the Extreme and now I am wondering if I want to under the Internet Connection Tab of the Airport Utility set "Connection Sharing" to "Share a public IP address"?
  I am now using the Extreme (N only) as a router, and have it feeding an Express(G only), a Netgear switch and two hard wired/Ethernet connected desktops.
  Thanks for any advice is one way or the other more secure from the outside world. I do have the Apple Firewall on my computer on.

  Unfortunately, you will need to "hard reset" your AirPort Express to clear out the old and conflicting settings on the device.
  To do that, hold in the reset button until the amber light begins to blink more quickly and keep holding another 4-5 seconds when this occurs, then release the reset button and the AirPort Express will restart. You should have a slow blinking amber light after 40-45 seconds. That is your signal that the Express can be reconfigured as you had it originally.
  Since you are effectively trying to run two routers, both handling DHCP on your network, you may need to keep an eye on things. Even if you avoid the IP address conflicts, you will have to deal with a Double NAT error on your network, which can slow communications between devices (and the Internet).