Adding Second subnet to Outside interface ASA 5512X 9.2

paulwtownsend — Tue, 12 Mar 2019 08:40:41 GMT

Have a client who only had provision for single IP address on the outside interface. Now they have had a another /29 subnet as they needs have increase. The current outside IP has 4 L2L VPN and 9 DNS entries , so instead of have to rekey all the changes I've tried to use the proxy arp and asked the ISP to route traffic for the new subnet to the public IP on he Outside interface.

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address <EXISTING_PUBLIC_IP> 255.255.255.252

interface GigabitEthernet0/1

nameif INSIDE

security-level 100

ip address 10.14.9.1 255.255.255.128

object network DTC-RDP/HTTPS

host 10.14.9.3

nat (INSIDE,OUTSIDE) static <FIRST NEW PUBLIC IP>

access-list OUTSIDE_ACCESS_IN extended permit tcp any host 10.14.9.3 eq https

If i hit https://<FIRST NEW PUBLIC IP> I don't get a response from the server. Before I talk to the ISP have I made a response a configuration error.

How is the the additional

Karsten Iwen — Mon, 19 Dec 2016 16:16:05 GMT

How is the the additional subnet configured by the ISP?

If they route the network to the ASA-IP, it should work.
If the ISP configured the network as a secondary network, then you need the following commad on the ASA:

arp permit-nonconnected

And you can use packet-tracer to check it:

packet-tracer input outside tcp 1.2.3.4 1234 NEW-PUBLIC-IP 443

topic Adding Second subnet to Outside interface ASA 5512X 9.2 in Network Security

Adding Second subnet to Outside interface ASA 5512X 9.2

How is the the additional