Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1368
Views
0
Helpful
2
Replies

Any best practices for secondary interface/IP

Machi Ma
Level 1
Level 1

‎11-12-2014 01:21 AM - edited ‎03-11-2019 10:04 PM

Hello,

 

I am working for translate firewall from to ASA now.  As I know ASA did not support secondary interface IP. 

 

However, my existing firewall setup is using this method to bind different subnet into single Interface. 

 

Did any best practices to migrate into ASA environment?

 

Thanks!

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎11-12-2014 01:34 AM

Hi,

 

This depends on your current environment which we dont know about.

 

As ASA firewalls can not have secondary IP addresses on a single interface then the typical options would be to either

 

  • Move the gateway of these internal subnets (which need to be under the same interface) to an internal L3 switch or Router. Then configure a link network between that device and the ASA interface and route the subnets through that link subnet.
  • Configure the subnets to different ASA interface (actual physical interfaces or subinterface if using Trunking) and separate those subnets to different Vlans on your switch network (or if not using Vlans then simply to different switches)

 

I guess it would also be possible to have 2 separate physical ASA interfaces connected to the same network switch network (Vlan) where the 2 subnet are used and just configure the other gateway on the other interface and the other subnet on the other physical interface. I would assume it could work but I am really hesitant to even write this as this would certainly be something that I would not even consider unless in some really urgent situation where there was no other options (for some reason).

 

- Jouni

0 Helpful

Machi Ma
Level 1
Level 1
In response to Jouni Forss

‎11-12-2014 07:38 PM

Hi,

Thanks for comment.   It looks very hard for me as too many subnets together, so using different ASA interface must not enough to allocate.

 

I just have dummy L2 switch, so it also hardly to re-locate the gateway at switch level.

 

I read some material about workaround using ARP proxy.  Like following

http://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/

 

Is it possible?

Thanks!

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card