Announcement

Collapse
No announcement yet.

Adding additional WAN IP's to ASA 5506

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Adding additional WAN IP's to ASA 5506

    Hi and happy new year..!!

    I'm trying to configure an additional WAN IP on my Cisco ASA 5506. On the outside interface I have configured it with one of the IP's from my ISP I am now looking to add a secondary. Is this achieved by adding a static route selecting the outside interface assigning the internal IP of the device on that network and then adding the second WAN IP which I am looking to use? Or is there another method?

    I'm not familiar with the ASA's (other routers have allowed me to add secondary WAN IP's)

    Thanks

  • #2
    You would be adding any additional IPs to the external interface as 'secondary IPs'. They won't be used until you assign them in routing or NAT/PAT settings, or for specific in-bound traffic to be port-forwarded (for example) like a web page you're hosting.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Thanks, so just to confirm you don't add the additional IP's to the interface (which is currently configured for 1 IP) once you add rules in NAT/PAT for the additional external IP and corresponding service the traffic will flow?

      Comment


      • #4
        Doing a bit of a search to bone up on ASA docs (while I support one for a customer, I haven't had to make a change in some time), I found another forum where you've asked the same question. The conversation there appears to answer your question--have you tried that yet? My recollection is with an iOS 8.2 ASA, which is probably older than what you're asking about. By all means, give their recommendations a try and reply back here. I'll admit that my ASA brain cells have shrivelled with age. Sorry.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          Yep worked a treat, added the additional WAN IP into the NAT table and all was fine. Can you tell me - do you need to assign 2 external IP's to a single interface to manage the firewall and router respectively? Or is it like a conventional router which routes and acts like a firewall but you only need to add one IP (static route points to the outside interface IP)?

          Comment


          • #6
            You should NEVER allow any access to the control/management interfaces from an external interface, regardless of how many addresses are on it. That way lies ruin. If you can log in from some remote location to control that router, what's to stop anyone else from working out how to do the same thing?? All such management should only ever be done from in internal interface, which is inside the network your router is trying to protect. The gateway address that all of your internal traffic points to on the router is the address you would connect to, either with a web or SSH cmd line connection, to make your config changes. In fact, you should set an ACL that only allows certain IPs to even attempt to make that login connection, to prevent any non-admin users from attempting to make any changes from the inside.
            *RicklesP*
            MSCA (2003/XP), Security+, CCNA

            ** Remember: credit where credit is due, and reputation points as appropriate **

            Comment


            • #7
              Sorry I should have been more cautious in my wording, I didn't mean manage as in the management of the router. What I meant was given the ASA is a router and a firewall - am I correct in thinking there is no issue assigning one static external IP to the WAN\Outside interface and adding a static route for all LAN\inside traffic to that interface\IP?

              Comment


              • #8
                That's more like it. You wouldn't need a 'static route', it will be a 'default route'. The difference is that a static route is normally used to get traffic to a specific destination, where a default route is any path to send traffic when nothing else more specific will do. If your external interface is defined as the default route, you can make other routing changes to your internal network and never have to touch the external port or the default route, again. There's probably already a default route pointing to the external port, so as long as you have a NAT/PAT (Network vs Port Address Translation) rule set up, your internal traffic should get wherever you're aiming at and come back as expected.
                *RicklesP*
                MSCA (2003/XP), Security+, CCNA

                ** Remember: credit where credit is due, and reputation points as appropriate **

                Comment


                • #9
                  Works a treat - thanks.

                  Comment


                  • #10
                    You're welcome, glad it's sorted.
                    *RicklesP*
                    MSCA (2003/XP), Security+, CCNA

                    ** Remember: credit where credit is due, and reputation points as appropriate **

                    Comment


                    • #11
                      Sorry to continue this one - and I can start another post if required? I'm trying to access a service on the same lan\inside interface but using the external url\ip. As I understand it this is called hairpin\uturn nat, is that correct?

                      If so how do you go about configuring it using the ASDM? Or can it only be done using the CLI?

                      Thanks

                      Comment


                      • #12
                        It's not really recommended to do that, but here's something I found thru :
                        https://supportforums.cisco.com/t5/f...n/td-p/1407782
                        *RicklesP*
                        MSCA (2003/XP), Security+, CCNA

                        ** Remember: credit where credit is due, and reputation points as appropriate **

                        Comment


                        • #13
                          Originally posted by RicklesP View Post
                          It's not really recommended to do that, but here's something I found thru :
                          https://supportforums.cisco.com/t5/f...n/td-p/1407782
                          Thanks how come its not recommended? As split DNS is quite common in networks. If we use the internal IP for the service then we'll get certificate errors?

                          Comment


                          • #14
                            The 'not recommended' was a repeat of comments at the link I gave you. I've never even attempted this type of setup myself, and don't really see why it's necessary (older IOS versions can't even do this). As for the certificate question, it may very well have to do with the name of the certificate vs the URL you're using to access the server. If the cert was issued for <servername>.com, and you're accessing it either solely by the internal IP or <servername>.local or some such, you're using different names in the browser window than the name in the certificate itself. Adn that gives you an error.
                            *RicklesP*
                            MSCA (2003/XP), Security+, CCNA

                            ** Remember: credit where credit is due, and reputation points as appropriate **

                            Comment

                            Working...
                            X