topic Two separate address pools on the same interface? in Network Security

Two separate address pools on the same interface?

d.vinnedge — Tue, 12 Mar 2019 00:41:11 GMT

I'm something of a routing novice so bear with me...

We have an ASA 5510 and we also have two separate address pools which have been provided by our ISP. The addresses are not contiguous. Is there a way to configure an interface on the ASA to handle both sets of public address pools? If the outside interface is set up on eth0/0 would I create two subinterfaces (eth0/0.1, eth0/0.2) and assign each subinterface an address pool? Then just NAT/PAT to my heart's content? At that point I would want both to route to our inside network. So it's basically two inbound sets of IP addresses comming into one interface and then comming into the network... Right now the outside interface is configured with our first set of IP addresses. We wanted additional addresses and when we called our ISP they told us we already had them - just a different pool. Hence the question. I'm guessing that I wouldn't put anything specific on the outside interface and I would put the specifics on the subinterfaces?

I've never done something like this before - that's why I'm asking the question! Any help/direction would be appreciated!

Thank you!

Two separate address pools on the same interface?

lcaruso — Wed, 26 Dec 2012 22:42:17 GMT

It works. Nothing needed except NAT statments that have the 2nd ip range addresses specfied. As long as your ISP routes them to the ASA's outside interface, the ASA is smart enough to NAT them for you.

Re: Two separate address pools on the same interface?

Jouni Forss — Wed, 26 Dec 2012 22:44:10 GMT

Hi,

You shoud not create subinterfaces for this purpose. You will only complicate your setup and cause problems.

To be able to use the new public IP address range its basicly mostly up to the ISP configurations. As long as the ISP has routed the new public subnet towards ASA outside interface it should be usable. What you do with it is up to you.

You could

Start using the new public IP address range for server NAT addresses directly on the ASA firewall and configure Static NAT when a new LAN/DMZ server needs it.
You can also route the new public subnet further in to your LAN behind the ASA and use the public subnet directly as some subnet for server etc.
You could also configure the public subnet directly to some interface on the ASA if you want the ASA to be the gateway of the network. (This would be ofcourse some other interface than the current "outside" interface)

All of the above depends on how your network is built. Meaning for example how your link to ISP is configured and what kind of devices you have on your network.

Pleare rate if the information was helpfull and/or ask more questions if the above didnt answer your questions.

- Jouni

Two separate address pools on the same interface?

lcaruso — Wed, 26 Dec 2012 22:47:03 GMT

NAT and ACLs are both needed.

Re: Two separate address pools on the same interface?

d.vinnedge — Thu, 27 Dec 2012 15:23:51 GMT

Thank you both. I didn't realize that the ASA would be "smart" enough to handle two IP ranges on the same interface. I simply created the access rules and then the nat translations and it worked!