cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1780
Views
0
Helpful
4
Replies

How to deal with Overlapping IP on Outside interface on Cisco NGFW 5516-X

IlyaTaskaev
Level 1
Level 1

Hi! We just bought Cisco 5516-x with FTD preinstalled on the device. We already have router/FW from another vendor and want to replace it by NGFW from Cisco.

 

I start configuration of Outside interfaces and noticed that ASA doesn't support multiple IPs from the same subnet on the one physical network interface in subinterfaces. 

 

Our environment is subnet provided by our ISP provider: XXX.XX.37.48/29, GW is XXX.XX.37.49 and our IPs are

XXX.XX.37.50-54

 

We want to use at least two IPs from this list to NAT traffic to two different Exchange MX servers, which both placed in our local network. In our DNS mail record, we have two MX records. We don't want to completely change our internal infrastructure, if possible of course. And I ask you to help me by providing a useful link to technology which can help us to deal with it. 

 

 

4 Replies 4

You don't need something like secondary IPs in your scenario. Just configure the FTD with one IP; this will later be used for termination VPNs and such.

For the public IPs that will be used for NAT, you only have to configure NAT-rules and allow this traffic in the access-control.

bhargavdesai
Spotlight
Spotlight

 

You don't have to worry about the two subnet. When you create NAT entry it will take care of the second subnet/IP that you want to use. Make sure your ISP send the traffic to your ASA's OUTSIDE interface's IP. 

 

You do need to configure access list to allow traffic in. 

 

For reference. 

https://community.cisco.com/t5/firewalls/multiple-wan-subnets-on-asa-5516/td-p/3039350

 

Bhaggu.

Thank you for your fast answers!

 

But How can I be sure in "ISP sends the traffic to your ASA's OUTSIDE interface's IP." I think it impossible if outside interfaces IP is not router's IP which routes traffic to mine subnet (XXX.XX.37.48/29), and in this case, we need to route our subnet by ourselves, using our device. 

 

Also, we have a configuration which was shared by our ISP provider:

atn3-140:
	interface GigabitEthernet0/2/20.XXX
	vlan-type dot1q XXX
	description
	mtu 9500
	ip binding vpn-instance internet
	ip address XXX.XX.2.229 255.255.255.252
	ip address XXX.XX.37.49 255.255.255.248 sub
	statistic enable
	loop-detect enable
	qos-profile uni-102400K inbound
	qos-profile uni-102400K outbound
	trust upstream not_6_7

Is that enough?

Also, I just read the link you provided, and I think I need to ask my ISP provider to do it or suggest any other ways to implement it.

 

 

 

Your existing Firewall/Router has an IP XXX.XX.2.229 255.255.255.252  on which ISP is sending traffic to for XXX.XX.37.49 255.255.255.248 subnet.

 

So you have to configure that IP to ASA's OUTSIDE interfcae if you are replacing the existing one. 

 

I hope you got this. Do let me know if you need any further assistance. 

 

Bhaggu.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: