https://community.cisco.com/t5/network-security/asa-8-6-allow-publishing-to-only-one-range-of-public-ip/m-p/2186949#M386985 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You will have to use some other software than 8.6(1)</P><P></P><P>Check the command <STRONG>"arp permit-nonconnected"</STRONG></P><P></P><P>This will allow the ASA to populate its ARP table with nonconnected networks.</P><P></P><P>To be able to use this command you will need another software. Check this Cisco Release Notes section and especially the bottom section.</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" id="wp623913table623908" width="80%"><TBODY><TR align="left" valign="top"><TD><P> ARP cache additions for non-connected subnets </P></TD><TD><A name="wp623940"></A><P> The ASA ARP cache only contains entries from directly-connected subnets&nbsp; by default. You can now enable the ARP cache to also include&nbsp; non-directly-connected subnets. We do not recommend enabling this&nbsp; feature unless you know the security risks. This feature could&nbsp; facilitate denial of service (DoS) attack against the ASA; a user on any&nbsp; interface could send out many ARP replies and overload the ASA ARP&nbsp; table with false entries. </P><A name="wp623948"></A><P> You may want to use this feature if you use: </P><A name="wp623949"></A><P> •<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />Secondary subnets. </P><A name="wp623950"></A><P> •<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />Proxy ARP on adjacent routes for traffic forwarding. </P><A name="wp623951"></A><P> We introduced the following command: <STRONG>arp permit-nonconnected</STRONG>. </P><A name="wp623953"></A><P> <EM>This feature is not available in 8.5(1), 8.6(1), or 8.7(1).</EM> </P></TD></TR></TBODY></TABLE><P></P><P></P><P>Other option is to ask the ISP to route the nonconnected network towards the ASA directly.</P><P></P><P>Also you can check an explanation from a NAT 8.3+ document I created here on CSC</P><P></P><P><A class="jive-link-external-small" href="https://community.cisco.com/docs/DOC-31116">https://supportforums.cisco.com/docs/DOC-31116#MULTIPLE-SUBNETS</A></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please remember to mark the question as answered if it did or ask more if needed <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Sat, 20 Apr 2013 17:11:00 GMT Jouni Forss 2013-04-20T17:11:00Z https://community.cisco.com/t5/network-security/asa-8-6-allow-publishing-to-only-one-range-of-public-ip/m-p/2186948#M386984 <P>Hi All,</P><P></P><P>Would someone comfirm that the versions 8.6 and up don't allow publishing to more then one public range if IP addresses?</P><P></P><P>We have ASA5520 version 8.4 in deployment and there I can NAT to 3 different ranges of public IP-s.</P><P></P><P>With same configuration on ASA5525-X version 8.6 it will NAT only the range that the outside interface belongs to.</P><P>Also tried the 9.0 version with the same result.</P><P></P><P>Thanks in advance</P> Tue, 12 Mar 2019 01:32:11 GMT https://community.cisco.com/t5/network-security/asa-8-6-allow-publishing-to-only-one-range-of-public-ip/m-p/2186948#M386984 Lulzim Islami 2019-03-12T01:32:11Z https://community.cisco.com/t5/network-security/asa-8-6-allow-publishing-to-only-one-range-of-public-ip/m-p/2186949#M386985 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You will have to use some other software than 8.6(1)</P><P></P><P>Check the command <STRONG>"arp permit-nonconnected"</STRONG></P><P></P><P>This will allow the ASA to populate its ARP table with nonconnected networks.</P><P></P><P>To be able to use this command you will need another software. Check this Cisco Release Notes section and especially the bottom section.</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" id="wp623913table623908" width="80%"><TBODY><TR align="left" valign="top"><TD><P> ARP cache additions for non-connected subnets </P></TD><TD><A name="wp623940"></A><P> The ASA ARP cache only contains entries from directly-connected subnets&nbsp; by default. You can now enable the ARP cache to also include&nbsp; non-directly-connected subnets. We do not recommend enabling this&nbsp; feature unless you know the security risks. This feature could&nbsp; facilitate denial of service (DoS) attack against the ASA; a user on any&nbsp; interface could send out many ARP replies and overload the ASA ARP&nbsp; table with false entries. </P><A name="wp623948"></A><P> You may want to use this feature if you use: </P><A name="wp623949"></A><P> •<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />Secondary subnets. </P><A name="wp623950"></A><P> •<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />Proxy ARP on adjacent routes for traffic forwarding. </P><A name="wp623951"></A><P> We introduced the following command: <STRONG>arp permit-nonconnected</STRONG>. </P><A name="wp623953"></A><P> <EM>This feature is not available in 8.5(1), 8.6(1), or 8.7(1).</EM> </P></TD></TR></TBODY></TABLE><P></P><P></P><P>Other option is to ask the ISP to route the nonconnected network towards the ASA directly.</P><P></P><P>Also you can check an explanation from a NAT 8.3+ document I created here on CSC</P><P></P><P><A class="jive-link-external-small" href="https://community.cisco.com/docs/DOC-31116">https://supportforums.cisco.com/docs/DOC-31116#MULTIPLE-SUBNETS</A></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please remember to mark the question as answered if it did or ask more if needed <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Sat, 20 Apr 2013 17:11:00 GMT https://community.cisco.com/t5/network-security/asa-8-6-allow-publishing-to-only-one-range-of-public-ip/m-p/2186949#M386985 Jouni Forss 2013-04-20T17:11:00Z https://community.cisco.com/t5/network-security/asa-8-6-allow-publishing-to-only-one-range-of-public-ip/m-p/2186950#M386986 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P></P><P>Thank you for your clear explanation.</P><P></P><P>Valdet</P></BODY></HTML> Sun, 21 Apr 2013 13:00:23 GMT https://community.cisco.com/t5/network-security/asa-8-6-allow-publishing-to-only-one-range-of-public-ip/m-p/2186950#M386986 Lulzim Islami 2013-04-21T13:00:23Z