03-10-2017 07:52 AM - edited 03-12-2019 02:02 AM
We are upgrading our ISP link to a VRRP connection and in doing so they needed two of our public IP addresses. Due to this change they have provided two public subnets that they are providing via one handoff. My question is how do I set this up on my side so that I can utilize the new subnet for 1:1 NAT. Would I just create a sub interface on the 'outside' interface? I would normally think so and they would just route the information to our subnet, but they gave me a separate gateway to use. Please see information below.
Current Subnet:
111.111.111.240/28
111.111.111.241:Gateway
New Subnet:
222.222.222.136/29
222.222.222.137:Gateway
Interface configuration and route information:
nameif outside
security-level 0
ip address 111.111.111.242 255.255.255.240
route outside 0.0.0.0 0.0.0.0 111.111.111.241
Solved! Go to Solution.
03-10-2017 08:42 AM
Normally they would simply route the new subnet to your existing outside interface. If they did that then you don't need to do anything other than just create NAT statements.
However if they have given you another gateway then it sounds like they are using secondary IP addressing at their end. So instead of routing the traffic their router will arp for any of the new IPs instead.
You still do not need to assign an IP from the new range to any interface but you do need to make sure you have arp for non connected networks allowed on your ASA ie.
"permit arp non-connected"
it may or may not be enabled depending on your software version.
It is worth checking with your ISP to find out exactly what they are doing.
Jon
03-10-2017 08:42 AM
Normally they would simply route the new subnet to your existing outside interface. If they did that then you don't need to do anything other than just create NAT statements.
However if they have given you another gateway then it sounds like they are using secondary IP addressing at their end. So instead of routing the traffic their router will arp for any of the new IPs instead.
You still do not need to assign an IP from the new range to any interface but you do need to make sure you have arp for non connected networks allowed on your ASA ie.
"permit arp non-connected"
it may or may not be enabled depending on your software version.
It is worth checking with your ISP to find out exactly what they are doing.
Jon
03-10-2017 08:42 AM
Thanks for the confirmation Jon. After posting I reached out to the ISP to check with them and they are indeed routing the new subnet to the existing one. That being said I don't even have to add it as a sub interface correct? Since they are handling the routing on their end.
03-10-2017 11:27 AM
No you don't need to assign any interface an IP from that range, you can just use the new IPs in your NAT statements.
If they are definitely just routing it to your existing outside interface IP then you don't need to worry about the "permit arp non-connected" bit either.
Jon
09-16-2021 07:07 AM
Thanks Jon for a great post. In my setup, ISP is routing to the existing outside interface IP of the FW and I`m able to use New range for the NAT statements.
My question is, will I be able to use New range for NAT`ing AnyConnect VPN users which connect to the Outside Interface IP from the Existing Range ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide