04-16-2013 09:07 AM - edited 03-11-2019 06:29 PM
Our ISP has given us a secondary IP range on their internet routers. However I need to have both sets of firewalls as in the attached diagram able to use the new IP range.
I have seen some documentation which suggests adding a static route onto the router pointing at the firewalls, However I have two separate firewalls which do not talk to each other (we keep them isolated as failover protection).
Can I have some advise on how I would set this up to work properly.
(I have already asked the ISP about using Sub-Interfaces which is a non-starter as far as they are concerned)
Thanks
04-16-2013 09:53 AM
Hello,
You could use Proxy-ARP,
Regards,
Julio
02-19-2015 06:59 AM
hi julio/jouni,
i recently ran into a situation wherein we would need to add a new public IP range on a single ASA FW.
is there any progress on 9.x code to support the secondary IP address feature on ASA just like in IOS router?
could you give an example/explain between arp permit-nonconnected vs proxy-arp that was mentioned here on this thread?
04-16-2013 10:12 AM
Hi,
If you want to use the Secondary IP Range at the edge of the firewalls and the firewalls are ASAs then there are some things related to ARP that have to be considered.
I have a small section written of the above in a NAT 8.3+ document I created on the forums if you want to have a look
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni
04-17-2013 01:03 AM
It happens that the firewalls are running 8.3(2.33) so in that case I should just be able to configure the static nats without any issue? So I would guess that I just need to use:
Original IP (DMZ address), Translated IP (external address on new subnet) and the firewall will just work as with the main ip range.
However we are looking to move the firewalls to a newer version of code - most probably V9 - I assume that we would need to the "arp permit-nonconnected" command adding in. Are they any other caveats for migrating from 8.3 to 9 code that could catch me out. I need to look into this before I start changing firewall rules.
Thanks
Giles
04-17-2013 02:12 AM
Hi,
It would seem to me that you could simply start using the new public IP address range in NAT statement right away.
On the newer versions you would need the "arp permit-nonconnected" command to be able to use a nonconnect network range as NAT addresses on the ASA.
It is really hard to say what risk there are in moving from 8.3 to 9.x software. I depends so much on how your firewall is configured and what functionalities you are using on them.
Most of our firewalls are in 8.4(x) software and will probably keep them that way until we get some new releases from the 9.x software. There seems to be different problems related to NAT so I am not too keen on updating several ASAs which hold 100+ Security Contexts in them. With these 8.4(x) software realeases I havent run into any major bugs yet atleast. (Though again this depends on the setup and configuration)
Then again our risk of running into a bug might be mitigated due to the fact that we have spread different functionalities to totally different ASA hardware so they are not all crammed into the same box.
I would probably read through the release notes of different software levels and look for any caveats that might apply to that you are using on the ASAs.
I guess opening a TAC case might be one solution also.
- Jouni
04-17-2013 09:38 AM
Hello Bgl,
As I said before you could use proxy arp for this,
As Jouni mention the behavior of the ASA changes with the newest version of the ASA.
Now on versions 8.6.1 y 8.4.3 the arp permit-nonconnected is not available so if you are going to a higher version where you will need to use proxy arp just avoid those versions,
Besides that you should go to the latest one
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide