Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1692
Views
0
Helpful
5
Replies

ASA 5510, two external subnets on the same interface

Roger Vetterberg
Level 1
Level 1

‎10-22-2012 07:22 AM - edited ‎03-11-2019 05:12 PM

Hi all.

First of all, I know the ASA is not a router, but I would still like to know if this is possible.

I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510.

The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's.

I have two subnets with public addresses, for simplicity lets call them 1.1.1.0/24 and 2.2.2.0/24. Default routers are 1.1.1.1 and 2.2.2.1 respectively.

Can I somehow use both these subnets in the ASA's?

Im currently using the first subnet and use PAT to direct traffic to internal servers.

But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet?

I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.

Labels:
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-22-2012 10:29 AM

Hello Roger,

This can be done using proxy-arp but that depends of the version you are running?

What version are you running?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Roger Vetterberg
Level 1
Level 1
In response to Julio Carvajal

‎10-22-2012 11:57 PM

ASA 8.4.1 and ASDM 6.4.1

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Roger Vetterberg

‎10-23-2012 09:16 AM

Hello Roger,

Great, so Proxy-arp is supported on that version.

So let's say your outside interface network is 1.1.1.0/24 and you also bought a 2.2.2.0/24 network subnet and you would like to use it.

Well you can, just by creating nat rules so your ASA will respond to packets going to 2.2.2.0/24.

Do you copy me?

Regards,

Julio

Remember to rate all of the helpful posts ( if you need some assistance trying to understand how to rate posts just let me know)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Roger Vetterberg
Level 1
Level 1
In response to Julio Carvajal

‎10-24-2012 12:21 AM

I will have to read up on proxy arp then. Thank you.

But the thing I still cant figure out is how to get the routing correctly.

Lets say I use 1.1.1.2 on the external interface of the ASA.

That means the default gateway of the ASA should be set to 1.1.1.1.

I also pick up 1.1.1.3 and PAT that to an internal server.

No problems so far, everything will work.

Now, lets say I pick up 2.2.2.2 and forward some ports to another internal server.

Now the traffic coming out from this server should go to the gateway 2.2.2.1.

How do I accomplish that?

AFAIK, the ASA is not able to do any kind of policy-based or source-based routing.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Roger Vetterberg

‎10-24-2012 09:39 AM

Hello Roger,

Correct, that is why we need to use Proxy arp.

There wil no be a DG for thje 2.2.2.0 subnet, The modem with the Ip address 1.1.1.1 needs to know that he needs to forward all the traffic to the 2.2.2.0 subnet to the ASA, this via Proxy Arp.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card