topic ASA with two IP Ranges in Network Security

ASA with two IP Ranges

chubbspsu — Fri, 21 Feb 2020 08:53:58 GMT

I have two IP ranges coming from one provider over 1 T1, both are /29's. I've recently purchased an ASA 5510 to protect the office, but can't seem to make use of the second range of IP's. I'm connecting to a Cisco 2500 router and it all works fine with no firewall.

I have the second IP of the first range as eth0/0 and the second IP of the second range as eth0/0.1.

I'm sure it has something to do with routing, but I don't know how to specify the "next hop" as I do with the router in the policy route.

I'm at my wits end and fear that this firewall doesn't have the capabilities I was told it did (by the salesman of course).

Thanks,

Steve

Re: ASA with two IP Ranges

Fernando_Meza — Sun, 14 May 2006 03:53:44 GMT

Hi ... if I understood your scenario .. you have 2 public ranges right ..? and I believe you want to use them on the ASA right ..?

Is the ASA going to replace the 2500 router ..?

Can you elaborate a quick network diagram to understand what are you trying to achieve.

Re: ASA with two IP Ranges

chubbspsu — Sun, 14 May 2006 12:22:51 GMT

Yes, two ranges and want to use them both on the ASA. I intended to leave the 2500 in place as I don't have a T1 card for the ASA.

I've thrown together a quick network diagram of how it "should" work. Just to reiterate the original post though:

from the outside, I can ping router just fine, but I can only ping the xxx.xxx.239.58 interface, this is because I have a default route on the ASA of xxx.xxx.239.57. There's no route for the xxx.xxx.237.0/29 network on the firewall. (although oddly, the router can't seem to ping the xxx.xxx.237.2 interface even though there on the same network)

The ASA is configured such that Eth0/0 is xxx.xxx.239.58/29 and Eth0/0.1 is xxx.xxx.237.2/29.

Thanks for any help!

Re: ASA with two IP Ranges

chubbspsu — Mon, 15 May 2006 18:15:29 GMT

Am I to believe that this device can not handle more then 1 ip range? If anyone could answer before my time is up to return this unit I'd greatly appreciate it.

thanks,

Steve

Re: ASA with two IP Ranges

Fernando_Meza — Tue, 16 May 2006 06:09:21 GMT

you diagram does not look right .. are you able to provide the config of the 2500 router and the ASA ..

You have been given 2 public ranges so.

1.- you can configure one public range for connecting the ASA to the router ( I believe you have used x.x.239.56/29 segment ).

2.- The other range can be used as a DMZ on the ASA. You can allocate an IP address to one of its interfaces on this range ( I believe you have used x.x.237.2/29 ).

3.- You can't have x.x.237.1 on the router and x.x.237.2 on the ASA. You need to remove this from the router.

4.- You can use a third interface on the ASA for connecting your internal users.

5.- The ASA will be protecting your internal users in that way.

6.- You also need to make sure your ASA has default gateway pointing to the router.

7.- you need to make sure the route has a static route for x.x.237.0/29 pointing to the ASA.

I hope it helps ... please rate it if it does !!!