Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2468
Views
10
Helpful
4
Replies

ASA 5510 and multiple static WAN IP's

Go to solution
backpage1
Level 1
Level 1

‎08-20-2013 08:40 AM - edited ‎03-11-2019 07:28 PM

So I have an ASA 5510 connected to our ISP that's providing us a block of 5 static IP's.  One of the interfaces is setup to use one of those IP's.  The other interfaces that are configured are all directed to and seen as that static IP.  When I try to setup a new interface or subinterface with another IP from that block of 5, I get an error that it falls within the rage of the already configured interface.  How do I make use of the other IP's that I have so I can direct traffic from another interface to it instead of the original public IP?  Is there a KB article that covers this scenario?  I'm not quite sure which search tearms would give me this scenario.  So far I just get articles with public release specs.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to backpage1

‎08-20-2013 09:03 AM

Hi,

So if you have a /29 subnet assigned by the ISP, you configure one of the IP address on the interface

Lets take this example situation

Network 1.1.1.0/29

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.248

route outside 0.0.0.0 0.0.0.0 1.1.1.1

Naturally the NAT configurations depends on your software level. You have not mentioned it in your post so I will give example of both NAT configurations formats.

Software level 8.2 and below

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

static (inside,outside) 1.1.1.3 10.10.10.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.4 10.10.10.11 netmask 255.255.255.255

Software level 8.3 and above

nat (inside,outside) after-auto source dynamic any interface

object network STATIC-1

host 10.10.10.10

nat (inside,outside) static 1.1.1.3

object network STATIC-2

host 10.10.10.11

nat (inside,outside) static 1.1.1.4

So as you can see, in both examples above we first use interface IP address as the Dynamic PAT address for all the users on the LAN. Next we configure 2 Static NAT configurations using 2 other public IP addresses from the same subnet assigned by the ISP.

So no additional interfaces involved. The only place the additional public IP addresses are configured on the ASA are the NAT configurations where they are used.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-20-2013 08:46 AM

Hi,

You use the single IP address from the block as the interface IP address as you are currently doing.

The rest you will simply use with NAT configurations. They are NOT configured on any interface. The NAT configurations are enough.

You naturally cant configure IP addresses from the same subnet in different L3 interfaces.

- Jouni

0 Helpful

Go to solution
backpage1
Level 1
Level 1
In response to Jouni Forss

‎08-20-2013 08:56 AM

Thank you for your response.  I get the error "The IP address xxx.xxx.xxx.xxx/255.255.255.248, cannot overlap with the subnet of interface outside".  Which outside is the interface currently setup to use one of the static IP's.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to backpage1

‎08-20-2013 09:03 AM

Hi,

So if you have a /29 subnet assigned by the ISP, you configure one of the IP address on the interface

Lets take this example situation

Network 1.1.1.0/29

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.248

route outside 0.0.0.0 0.0.0.0 1.1.1.1

Naturally the NAT configurations depends on your software level. You have not mentioned it in your post so I will give example of both NAT configurations formats.

Software level 8.2 and below

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

static (inside,outside) 1.1.1.3 10.10.10.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.4 10.10.10.11 netmask 255.255.255.255

Software level 8.3 and above

nat (inside,outside) after-auto source dynamic any interface

object network STATIC-1

host 10.10.10.10

nat (inside,outside) static 1.1.1.3

object network STATIC-2

host 10.10.10.11

nat (inside,outside) static 1.1.1.4

So as you can see, in both examples above we first use interface IP address as the Dynamic PAT address for all the users on the LAN. Next we configure 2 Static NAT configurations using 2 other public IP addresses from the same subnet assigned by the ISP.

So no additional interfaces involved. The only place the additional public IP addresses are configured on the ASA are the NAT configurations where they are used.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Go to solution
backpage1
Level 1
Level 1
In response to Jouni Forss

‎08-20-2013 09:14 AM

I see.  So I create the extra network objects for each static IP then use those when determining which IP I want specific traffic to exit.

Thanks a million for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card