https://community.cisco.com/t5/network-security/edge-router-connection-for-outside-interface-of-asa-5520/m-p/2209116#M350664 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If what you are saying is that you have a ISP router facing your ASA "outside" interface and that ISP Router interface that is facing your ASA holds the network 198.24.210.224/29 then there should be no problem</P><P></P><P>Is will route that whole network in their ISP Core and advertise it so traffic destined to any of those IP addresses from that netwokr 198.24.210.224/29 will reach the ISP Router/ASA wether you are using the single IP address in question or not.</P><P></P><P>I guess we were already discussing this same thing on another topic.</P><P></P><P>Are you still having problems with reaching other IP addresses from the subnet? I would ask the ISP to confirm the configuration on their side and confirm that they can see the ARP for the public IP address that is not working.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 02 May 2013 15:55:36 GMT Jouni Forss 2013-05-02T15:55:36Z https://community.cisco.com/t5/network-security/edge-router-connection-for-outside-interface-of-asa-5520/m-p/2209115#M350663 <P>Hi,</P><P></P><P>We have ASA 5520 firewall.</P><P></P><P>For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's 198.24.210.224/29.</P><P>We have usable public IP's 198.24.210.226 - 198.24.210.230 with default gateway 198.24.210.225.</P><P></P><P>We assigned 198.24.210.230 255.255.255.0 to the outside interface.</P><P></P><P>If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses 198.24.210.224/29 reach the outside interface without using other device like another router or switches?</P><P>I just assume that only packets with destination address 198.24.210.230(outside interface ip) can reach the outside interface from the edge router.</P><P>Is it wrong assumption?&nbsp; If it is correct, then is there any way to route all packets with destination address 198.24.210.224/29 to the outside interface?</P><P></P><P>Thank you for helping.</P> Tue, 12 Mar 2019 01:37:46 GMT https://community.cisco.com/t5/network-security/edge-router-connection-for-outside-interface-of-asa-5520/m-p/2209115#M350663 johnlee43 2019-03-12T01:37:46Z https://community.cisco.com/t5/network-security/edge-router-connection-for-outside-interface-of-asa-5520/m-p/2209116#M350664 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If what you are saying is that you have a ISP router facing your ASA "outside" interface and that ISP Router interface that is facing your ASA holds the network 198.24.210.224/29 then there should be no problem</P><P></P><P>Is will route that whole network in their ISP Core and advertise it so traffic destined to any of those IP addresses from that netwokr 198.24.210.224/29 will reach the ISP Router/ASA wether you are using the single IP address in question or not.</P><P></P><P>I guess we were already discussing this same thing on another topic.</P><P></P><P>Are you still having problems with reaching other IP addresses from the subnet? I would ask the ISP to confirm the configuration on their side and confirm that they can see the ARP for the public IP address that is not working.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 02 May 2013 15:55:36 GMT https://community.cisco.com/t5/network-security/edge-router-connection-for-outside-interface-of-asa-5520/m-p/2209116#M350664 Jouni Forss 2013-05-02T15:55:36Z https://community.cisco.com/t5/network-security/edge-router-connection-for-outside-interface-of-asa-5520/m-p/2209117#M350665 <HTML><HEAD></HEAD><BODY><P>Also,</P><P></P><P>To confirm your ASA configurations we would really have to see the configurations.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 02 May 2013 15:58:28 GMT https://community.cisco.com/t5/network-security/edge-router-connection-for-outside-interface-of-asa-5520/m-p/2209117#M350665 Jouni Forss 2013-05-02T15:58:28Z https://community.cisco.com/t5/network-security/edge-router-connection-for-outside-interface-of-asa-5520/m-p/2209118#M350666 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>Now, lets consider the packet flow here. ISP gets a packet for an IP in range provided to you say198.24.210.230 (outside interface ip), it will send arp broadcast on segment b/w ISP router and ASA (considering it is the first packet and ISP has no arp entries for this subnet). Since IP is assigned on outside of ASA, ASA will respond to arp broadcast and ISP will be able to pass the frame to ASA.</P><P></P><P>However, if packet comes for another IP in ranage which is not assigned anywhere (not on ASA outside or any other device in segment), no one will respond for arp broadcast and hence packet would be dropped as layer 2 lookup will fail.</P><P></P><P>Now, if you have NAT configured on ASA and you use these IP's in range as mapped IP's on outside, ASA will do proxy arp for those IP's and in that way all traffic would be routed to ASA outside. Normally, you would use static NAT for inbound traffic to your internal machines/servers or dynamic PAT to allow internet access to internal users.</P><P></P><P>HTH.</P><P></P><P>-</P><P>Sourav</P></BODY></HTML> Thu, 02 May 2013 18:25:35 GMT https://community.cisco.com/t5/network-security/edge-router-connection-for-outside-interface-of-asa-5520/m-p/2209118#M350666 sokakkar 2013-05-02T18:25:35Z