Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1916
Views
0
Helpful
3
Replies

ASA 5506-X 9.6 or 9.7 two outside interfaces same ip

Go to solution
lmediavilla
Level 1
Level 1

‎09-21-2017 12:27 AM - edited ‎02-21-2020 06:20 AM

Hello for my mpls provider I need to have two outside interfaces. I could do it with the 5505 using vlans.

Whit this model on 9.7 I just have bvi interfaces, If I use the bvi1 as the outside interface I cannot ping anything, It just works with the physical interface.

 

How can I have two outside interfaces with the same ip address?

 

regards

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lmediavilla
Level 1
Level 1

‎10-23-2017 01:54 AM

I found the solution, first is required IOS 9.7, then bridge both interfaces, type a nameif for each one, create 3 ACLS, first ACL will match is the physical one next the bridge one

 

interface GigabitEthernet1/1
bridge-group 2
nameif Outside1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 2
nameif Outside2
security-level 100
!

interface BVI2
nameif Outside
security-level 0
ip address x.x.x.x x.x.x.x 
!

access-list Outside_access_in extended permit ip any any
access-list Outside2_access_in extended permit ip any any
access-list Outside1_access_in_1 extended permit ip any any

access-group Outside_access_in in interface Outside
access-group Outside1_access_in_1 in interface Outside1
access-group Outside2_access_in in interface Outside2

 

 

 

this solves the problem.

regards

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Flavio Miranda
VIP
VIP

‎09-21-2017 06:44 AM - edited ‎09-21-2017 06:44 AM

Hi,

 You can´t as far as I know. This is not only for Firewall, any device I ever touched dont allow two different interface to have the same IP address, for obvious reason. 

 By the way, a service provide should never request something like that. 

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7

‎09-21-2017 07:04 AM

Hi  lmediavilla,

 

You can use feature called Redundant interface. A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface. When the active interface fails, the standby interface becomes active and starts passing traffic. Below is the config example:

 

nterface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

 

 

Spooster IT Services Team
0 Helpful

Go to solution
lmediavilla
Level 1
Level 1

‎10-23-2017 01:54 AM

I found the solution, first is required IOS 9.7, then bridge both interfaces, type a nameif for each one, create 3 ACLS, first ACL will match is the physical one next the bridge one

 

interface GigabitEthernet1/1
bridge-group 2
nameif Outside1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 2
nameif Outside2
security-level 100
!

interface BVI2
nameif Outside
security-level 0
ip address x.x.x.x x.x.x.x 
!

access-list Outside_access_in extended permit ip any any
access-list Outside2_access_in extended permit ip any any
access-list Outside1_access_in_1 extended permit ip any any

access-group Outside_access_in in interface Outside
access-group Outside1_access_in_1 in interface Outside1
access-group Outside2_access_in in interface Outside2

 

 

 

this solves the problem.

regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card