5habbaranksMemberJanuary 4, 2018 at 4:01 am #167365
Hi and happy new year..!!
I’m trying to configure an additional WAN IP on my Cisco ASA 5506. On the outside interface I have configured it with one of the IP’s from my ISP I am now looking to add a secondary. Is this achieved by adding a static route selecting the outside interface assigning the internal IP of the device on that network and then adding the second WAN IP which I am looking to use? Or is there another method?
I’m not familiar with the ASA’s (other routers have allowed me to add secondary WAN IP’s)
AnonymousJanuary 4, 2018 at 2:01 pm #372081
You would be adding any additional IPs to the external interface as ‘secondary IPs’. They won’t be used until you assign them in routing or NAT/PAT settings, or for specific in-bound traffic to be port-forwarded (for example) like a web page you’re hosting.January 5, 2018 at 2:13 am #379159
Thanks, so just to confirm you don’t add the additional IP’s to the interface (which is currently configured for 1 IP) once you add rules in NAT/PAT for the additional external IP and corresponding service the traffic will flow?
AnonymousJanuary 5, 2018 at 2:21 pm #372083
Doing a bit of a search to bone up on ASA docs (while I support one for a customer, I haven’t had to make a change in some time), I found another forum where you’ve asked the same question. The conversation there appears to answer your question–have you tried that yet? My recollection is with an iOS 8.2 ASA, which is probably older than what you’re asking about. By all means, give their recommendations a try and reply back here. I’ll admit that my ASA brain cells have shrivelled with age. Sorry.January 14, 2018 at 11:41 am #379160
Yep worked a treat, added the additional WAN IP into the NAT table and all was fine. Can you tell me – do you need to assign 2 external IP’s to a single interface to manage the firewall and router respectively? Or is it like a conventional router which routes and acts like a firewall but you only need to add one IP (static route points to the outside interface IP)?
AnonymousJanuary 15, 2018 at 1:23 pm #372085
You should NEVER allow any access to the control/management interfaces from an external interface, regardless of how many addresses are on it. That way lies ruin. If you can log in from some remote location to control that router, what’s to stop anyone else from working out how to do the same thing?? All such management should only ever be done from in internal interface, which is inside the network your router is trying to protect. The gateway address that all of your internal traffic points to on the router is the address you would connect to, either with a web or SSH cmd line connection, to make your config changes. In fact, you should set an ACL that only allows certain IPs to even attempt to make that login connection, to prevent any non-admin users from attempting to make any changes from the inside.January 16, 2018 at 1:44 am #379161
Sorry I should have been more cautious in my wording, I didn’t mean manage as in the management of the router. What I meant was given the ASA is a router and a firewall – am I correct in thinking there is no issue assigning one static external IP to the WANOutside interface and adding a static route for all LANinside traffic to that interfaceIP?
AnonymousJanuary 16, 2018 at 1:13 pm #372086
That’s more like it. You wouldn’t need a ‘static route’, it will be a ‘default route’. The difference is that a static route is normally used to get traffic to a specific destination, where a default route is any path to send traffic when nothing else more specific will do. If your external interface is defined as the default route, you can make other routing changes to your internal network and never have to touch the external port or the default route, again. There’s probably already a default route pointing to the external port, so as long as you have a NAT/PAT (Network vs Port Address Translation) rule set up, your internal traffic should get wherever you’re aiming at and come back as expected.
AnonymousJanuary 19, 2018 at 10:41 am #372089
You’re welcome, glad it’s sorted.January 19, 2018 at 2:59 pm #379163
Sorry to continue this one – and I can start another post if required? I’m trying to access a service on the same laninside interface but using the external urlip. As I understand it this is called hairpinuturn nat, is that correct?
If so how do you go about configuring it using the ASDM? Or can it only be done using the CLI?
AnonymousJanuary 20, 2018 at 2:30 pm #372091
It’s not really recommended to do that, but here’s something I found thru :google::
https://supportforums.cisco.com/t5/firewalling/nat-hairpin/td-p/1407782January 21, 2018 at 8:42 am #379164RicklesP;n515822 wrote:It’s not really recommended to do that, but here’s something I found thru :google::
Thanks how come its not recommended? As split DNS is quite common in networks. If we use the internal IP for the service then we’ll get certificate errors?
AnonymousJanuary 22, 2018 at 2:31 pm #372093
The ‘not recommended’ was a repeat of comments at the link I gave you. I’ve never even attempted this type of setup myself, and don’t really see why it’s necessary (older IOS versions can’t even do this). As for the certificate question, it may very well have to do with the name of the certificate vs the URL you’re using to access the server. If the cert was issued for .com, and you’re accessing it either solely by the internal IP or .local or some such, you’re using different names in the browser window than the name in the certificate itself. Adn that gives you an error.
You must be logged in to reply to this topic.