Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
2
Replies

2nd IP address for outbound internet on ASA

Ryan Fisher
Level 1
Level 1

‎01-29-2018 03:01 PM - edited ‎03-05-2019 09:50 AM

Hi, I have an ASA 5510 running 8.2(5).  High-level, I'm looking to have two different internal networks use two different public IP addresses.

 

Right now, I am using the global pool for doing a dynamic NAT for all internal networks out the outside interface.  I also have the global NAT pool being used for all internal networks accessing the DMZ using the DMZ interface, using the same number.

 

global (DMZ) 101 interface

global (outside) 101 interface

 

nat (inside) 101 10.100.0.0 255.255.0.0

nat (inside) 101 192.168.0.0 255.255.0.0

 

I can create a new global pool with a new number (like 102) and assign the external IP that I want to use to that pool, then create a dynamic NAT with that new global pool.

 

global (outside) 103 <public IP> <netmask>

nat (inside) 103 192.168.0.0 255.255.0.0

 

Testing with What's My IP Address shows now that the new public IP address is now being used.  Problem solved, you would think, but no.  Now I cannot access anything in the DMZ because that network doesn't have a global pool for the DMZ interface.  And I cannot add one because it conflicts with the original global pool 101.

 

My goal here is to have a separate public IP address used for our internet guest network (192.168.0.0) than what's used for the internet production network (10.x.x.x), but they still need to access DMZ resources.  What am I missing?

 

Thanks!

Labels:
0 Helpful
2 Replies 2

Ryan Fisher
Level 1
Level 1

‎01-29-2018 04:04 PM

In reading more about NAT'ing, I think the line I put in there for the global NAT to redirect that network out the public IP would only be good for one client going to the internet:

 

global (outside) 103 <public IP> <netmask>

 

Am I correct?  So maybe this wasn't the correct way to do it in the first place!

 

Thanks

0 Helpful

Ryan Fisher
Level 1
Level 1
In response to Ryan Fisher

‎01-29-2018 05:12 PM

Ok, I've got quite the thread going with myself here.  :P

 

So, some more testing and I've found that more than one client is able to get to the internet with that same one IP address when I have that global NAT pool created.  Next thing I tried, since I was unable to create another pool for the DMZ interface because it was already in use, I created a pool using the next IP address of the DMZ.  So, DMZ interface is 172.16.35.1 and I just created a pool using 172.16.35.2.  That made it work!  So, the config is:

 

global (DMZ) 101 interface

global (outside) 101 interface

global (outside) 103 <second public IP> <netmask>

global (DMZ) 103 172.16.35.2 255.255.255.255

 

nat (inside) 101 10.100.0.0 255.255.0.0

nat (inside) 103 192.168.0.0 255.255.0.0

 

I can say it's working, but have no idea if it's the right way to do it or not, or what else I may have broken by doing that.  Any help and an extra set of eyes is much appreciated.

 

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card