topic Normally they would simply in Network Security

Multiple WAN subnets on ASA 5516

douglas.shupe — Tue, 12 Mar 2019 09:02:42 GMT

We are upgrading our ISP link to a VRRP connection and in doing so they needed two of our public IP addresses. Due to this change they have provided two public subnets that they are providing via one handoff. My question is how do I set this up on my side so that I can utilize the new subnet for 1:1 NAT. Would I just create a sub interface on the 'outside' interface? I would normally think so and they would just route the information to our subnet, but they gave me a separate gateway to use. Please see information below.

Current Subnet:

111.111.111.240/28

111.111.111.241:Gateway

New Subnet:

222.222.222.136/29

222.222.222.137:Gateway

Interface configuration and route information:

nameif outside
security-level 0
ip address 111.111.111.242 255.255.255.240

route outside 0.0.0.0 0.0.0.0 111.111.111.241

Normally they would simply

Jon Marshall — Fri, 10 Mar 2017 16:42:55 GMT

Normally they would simply route the new subnet to your existing outside interface. If they did that then you don't need to do anything other than just create NAT statements.

However if they have given you another gateway then it sounds like they are using secondary IP addressing at their end. So instead of routing the traffic their router will arp for any of the new IPs instead.

You still do not need to assign an IP from the new range to any interface but you do need to make sure you have arp for non connected networks allowed on your ASA ie.

"permit arp non-connected"

it may or may not be enabled depending on your software version.

It is worth checking with your ISP to find out exactly what they are doing.

Jon

Thanks for the confirmation

douglas.shupe — Fri, 10 Mar 2017 16:42:56 GMT

Thanks for the confirmation Jon. After posting I reached out to the ISP to check with them and they are indeed routing the new subnet to the existing one. That being said I don't even have to add it as a sub interface correct? Since they are handling the routing on their end.

No you don't need to assign

Jon Marshall — Fri, 10 Mar 2017 19:27:36 GMT

No you don't need to assign any interface an IP from that range, you can just use the new IPs in your NAT statements.

If they are definitely just routing it to your existing outside interface IP then you don't need to worry about the "permit arp non-connected" bit either.

Jon

Re: No you don't need to assign

ashwanik2008 — Thu, 16 Sep 2021 14:07:46 GMT

Thanks Jon for a great post. In my setup, ISP is routing to the existing outside interface IP of the FW and I`m able to use New range for the NAT statements.

My question is, will I be able to use New range for NAT`ing AnyConnect VPN users which connect to the Outside Interface IP from the Existing Range ?