cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


81
Views
0
Helpful
2
Replies
Beginner

Routing new additional Public IP's on existing firewall

Hi

We have run out of IP addresses on our current subnet and we have been given a new additional IP address subnet range by our ISP.

Reading this paragraph from a post a couple of years ago:

The ISP would simply forward all traffic regarding the new subnet to the ASAs current WAN interface IP address and the ASA would match the destination IP address to an existing NAT you have from the new subnet. Traffic would be forwarded back to the ISP using the current default route on the ASA. No additional default route needs to be added. There would be no need for ARP/Proxy ARP between the ISP gateway and ASA for this new subnet.

I have added a static NAT for the new public IP address to an existing DMZ host and then done a firewall rule to allow it. Based on the above I thought this would then work or am I missing something else? I can't see any traffic for the new subnet hitting our firewall logs to show the connection is even being denied based on destination or source IP's. However I can see traffic leaving the system as the new public IP hitting our sister firewall logs on another site whilst trying to surf to a web page to test the routing (but the webpage doesn't display on the source).

I am also trying to triple check with the ISP that they have routed the new subnet to the correct address of our existing firewall, yet would appreciate any other suggestions in the meantime?

Many thanks,

Mark

1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Hi

Hi

It sounds like the ISP hasn't done its work with the routing. If you outside of your own network tries to do a traceroute it shouldn't reach you. Also the server you have done the static NAT statement for shouldn't be able to reach the internet.

2 REPLIES 2
Enthusiast

Hi

Hi

It sounds like the ISP hasn't done its work with the routing. If you outside of your own network tries to do a traceroute it shouldn't reach you. Also the server you have done the static NAT statement for shouldn't be able to reach the internet.

Beginner

Hi Henrik

Hi Henrik

Thanks for replying and after lots of chasing you were correct. All working perfectly now.

Mark