Adding additional WAN IP’s to ASA 5506

Home Forums Networking Cisco Security – PIX/ASA/VPN Adding additional WAN IP’s to ASA 5506

This topic contains 13 replies, has 3 voices, and was last updated by  Dext 10 months, 3 weeks ago.

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts

  • 5habbaranks
    Member
    #167365

    Hi and happy new year..!!

    I’m trying to configure an additional WAN IP on my Cisco ASA 5506. On the outside interface I have configured it with one of the IP’s from my ISP I am now looking to add a secondary. Is this achieved by adding a static route selecting the outside interface assigning the internal IP of the device on that network and then adding the second WAN IP which I am looking to use? Or is there another method?

    I’m not familiar with the ASA’s (other routers have allowed me to add secondary WAN IP’s)

    Thanks


    Anonymous
    #372081

    You would be adding any additional IPs to the external interface as ‘secondary IPs’. They won’t be used until you assign them in routing or NAT/PAT settings, or for specific in-bound traffic to be port-forwarded (for example) like a web page you’re hosting.


    Dext
    Member
    #379159

    Thanks, so just to confirm you don’t add the additional IP’s to the interface (which is currently configured for 1 IP) once you add rules in NAT/PAT for the additional external IP and corresponding service the traffic will flow?


    Anonymous
    #372083

    Doing a bit of a search to bone up on ASA docs (while I support one for a customer, I haven’t had to make a change in some time), I found another forum where you’ve asked the same question. The conversation there appears to answer your question–have you tried that yet? My recollection is with an iOS 8.2 ASA, which is probably older than what you’re asking about. By all means, give their recommendations a try and reply back here. I’ll admit that my ASA brain cells have shrivelled with age. Sorry.


    Dext
    Member
    #379160

    Yep worked a treat, added the additional WAN IP into the NAT table and all was fine. Can you tell me – do you need to assign 2 external IP’s to a single interface to manage the firewall and router respectively? Or is it like a conventional router which routes and acts like a firewall but you only need to add one IP (static route points to the outside interface IP)?


    Anonymous
    #372085

    You should NEVER allow any access to the control/management interfaces from an external interface, regardless of how many addresses are on it. That way lies ruin. If you can log in from some remote location to control that router, what’s to stop anyone else from working out how to do the same thing?? All such management should only ever be done from in internal interface, which is inside the network your router is trying to protect. The gateway address that all of your internal traffic points to on the router is the address you would connect to, either with a web or SSH cmd line connection, to make your config changes. In fact, you should set an ACL that only allows certain IPs to even attempt to make that login connection, to prevent any non-admin users from attempting to make any changes from the inside.


    Dext
    Member
    #379161

    Sorry I should have been more cautious in my wording, I didn’t mean manage as in the management of the router. What I meant was given the ASA is a router and a firewall – am I correct in thinking there is no issue assigning one static external IP to the WANOutside interface and adding a static route for all LANinside traffic to that interfaceIP?


    Anonymous
    #372086

    That’s more like it. You wouldn’t need a ‘static route’, it will be a ‘default route’. The difference is that a static route is normally used to get traffic to a specific destination, where a default route is any path to send traffic when nothing else more specific will do. If your external interface is defined as the default route, you can make other routing changes to your internal network and never have to touch the external port or the default route, again. There’s probably already a default route pointing to the external port, so as long as you have a NAT/PAT (Network vs Port Address Translation) rule set up, your internal traffic should get wherever you’re aiming at and come back as expected.


    Dext
    Member
    #379162

    Works a treat – thanks.


    Anonymous
    #372089

    You’re welcome, glad it’s sorted.


    Dext
    Member
    #379163

    Sorry to continue this one – and I can start another post if required? I’m trying to access a service on the same laninside interface but using the external urlip. As I understand it this is called hairpinuturn nat, is that correct?

    If so how do you go about configuring it using the ASDM? Or can it only be done using the CLI?

    Thanks


    Anonymous
    #372091

    It’s not really recommended to do that, but here’s something I found thru :google::
    https://supportforums.cisco.com/t5/firewalling/nat-hairpin/td-p/1407782


    Dext
    Member
    #379164
    RicklesP;n515822 wrote:
    It’s not really recommended to do that, but here’s something I found thru :google::
    https://supportforums.cisco.com/t5/firewalling/nat-hairpin/td-p/1407782

    Thanks how come its not recommended? As split DNS is quite common in networks. If we use the internal IP for the service then we’ll get certificate errors?


    Anonymous
    #372093

    The ‘not recommended’ was a repeat of comments at the link I gave you. I’ve never even attempted this type of setup myself, and don’t really see why it’s necessary (older IOS versions can’t even do this). As for the certificate question, it may very well have to do with the name of the certificate vs the URL you’re using to access the server. If the cert was issued for .com, and you’re accessing it either solely by the internal IP or .local or some such, you’re using different names in the browser window than the name in the certificate itself. Adn that gives you an error.

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.