How Can i Use two Different Public IP Address ranges on a single ASA physical port

big-netzwerk · ‎03-17-2016

Hallo everybody,

our old range of public ip adress are fineshed.

I asked our ISP, so we got an new public range.

Both public ranges are /29.

We use a cisco asa 5510 with an outside interface.

The new public ip address range is for a new cisco vpn router but i also want to use the public adresses for nat on the existing asa.

What must i do to use the new public range on the asa?

Thanks Oliver

Marius Gunnerud · ‎03-17-2016

Where is the "new cisco vpn router" located in relation to the "existing asa"?

Normally you would only need the ISP to route traffic headed for the new public IP range to the outside interface of the ASA. Then NAT / proxy arp will take care of the rest.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

big-netzwerk · ‎03-17-2016

Behind the router of the ISP is a switch.

The cisco vpn router und the asa are connected to the switch.

The cisco vpn should have is own public ip.

Marius Gunnerud · ‎03-19-2016

When you say the router should have it's own public IP I am assuming that this IP is not in the same range as that which is configured on the ASA (judging by your original post)?

If this is the case then the VPN router would need to be in its own VLAN and the ISP router would need a public IP also configured within this same range.

To be able to use this range you would need to configure the ASA outside interface into sub-interfaces and place them in their respective VLANs and configure them with their respective IP addresses. The second subinterface would be in the same subnet as that of the new public range. At this point you would be able to use the new public IP addresses on the ASA as well as on the VPN router.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

big-netzwerk · ‎03-21-2016

I've found this artikel in this forum:

https://supportforums.cisco.com/discussion/11793301/seconadary-ip-address-multiple-firewalls

Is this the solution?

I can use the IP's for new equipent and with the solution in the link also for the firewall...

Marius Gunnerud · ‎03-21-2016

This is a solution to using a new / different public IP range on the ASA. In this scenario you will need the ISP to route the new subnet toward your ASA outside interface. The issue you might run into is that you indicated that you wish to use one of these addresses with a VPN router and have the router outside IP on the same subnet as the ASA. To do this you would need to create a new VLAN on your switch, assign an IP to both the ASA and the VPN router, aswell as have the ISP set up an IP on their router for the default gateway. Doing this you have just wasted 3 public IP addresses.

If you just placed the router behind the ASA and NATed a public IP to the VPN router then this would work just fine. Then it is just a matter of allowing the IPsec traffic through the ASA which isn't a big deal.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

big-netzwerk · ‎03-21-2016

Right, i want to use a new public range...

But on the ASA and also for new equipment.

But i don't want to route the new addresses to the outside interface of the ASA.

I know that this is possible.

I meant the point with the "arp permit-nonconnected" command.

Is this not a solution for my problem?

Marius Gunnerud · ‎03-21-2016

arp permit-nonconnected could be a solution if the ISP has the new subnet also configured on its router.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts