Showing results for 
Search instead for 
Did you mean: 


ASA 5515 sub-interface question


I am working on translating configuration from a firewall named Joebox to ASA 5515.

On Joebox, it has 5 continuous public IP addresses (xx.xx.xx.73 -77/29), first one as interface IP and others as alias, on the Internet-facing interface.

I need to configure ASA 5515 in the same way, however it seems not simple.

- The way to configure subinterfaces on 5515 is by configuring VLAN.

- The interface can hold xx.xx.xx.73/29 without a problem.

- The first subinterface can have IP address xx.xx.xx.74 however with different mask(/16), as it doesn’t allow /29.

- The second subinterface doesn’t allow to enter IP xx.xx.xx.75, saying "Failed to apply IP address to interface GigabitEthernet0.x, as the network overlaps with interface GigabitEthernet0. Two interfaces cannot be in the same subnet."

I believe that there should be a workaround for this.

Can someone please help?

Thank you in advance.


Cisco Employee

Hello Young,

You can configure Ip addresses on interfaces, only if they are from different subnet. ASA will not allow you to put this commands.

From subnet



So, can you please describe what is the purpose of this configuration? What you want to achieve?

Please rate helpful posts

Best Regards,




As you are using ASA5515 you are probably running software version 8.6 (confirmable with command "show version")

If I understood you correctly you have a /29 network from the ISP and want to use 1 IP for the "outside" interface and the rest of them as Static NAT IP address for different LAN hosts?

Assuming that the following apply

  • You have one LAN interface called "inside"
  • You have WAN interface called "outside"
  • Your LAN network is
  • You want Static Public NAT for the following 4 LAN IPs  

Your configurations could look something like this

Default PAT for traffic heading to Internet

object-group network PAT-SOURCE

description PAT Source Networks


nat (any,outside) after-auto source dynamic PAT-SOURCE interface

  • The above configuration should make a default PAT rule for outgoing traffic. In other words any client on the LAN that doesnt have own NAT IP configured with Static NAT commands will use the "outside" interface public IP. If you would happen to configure another LAN network behind the ASA you could just add that LAN network under the configured object-group PAT-SOURCE and it would also start using "outside" interface for PAT translation.

Static NAT for servers

object network STATIC-1


nat (inside,outside) static x.x.x.74

object network STATIC-2


nat (inside,outside) static x.x.x.75

object network STATIC-3


nat (inside,outside) static x.x.x.76

object network STATIC-4


nat (inside,outside) static x.x.x.77

  • The above configures Static NAT for 4 LAN hosts/clients
  • Each Static NAT configuration includes  
    • object network ,under which all the configurations follow
    • host x.x.x.x , which defines the local source address for the Static NAT
    • nat (inside,outside) static x.x.x.x , which defines the source and destination interface for the Static NAT and the actual NAT IP address

Access-list rules from Internet

access-list OUTSIDE-IN permit ip any object STATIC-1

access-list OUTSIDE-IN permit tcp any object STATIC-1 eq

access-list OUTSIDE-IN permit udp any object STATIC-1 eq


access-list OUTSIDE-IN permit ip any host

access-list OUTSIDE-IN permit tcp any host eq

access-list OUTSIDE-IN permit udp any host eq


access-group OUTSIDE-IN in interface outside

  • Above are examples of configuring TCP/UDP, TCP or UDP rules to allow traffic with an ACL named OUTSIDE-IN
  • access-group OUTSIDE-IN in interface outside, attaches the ACL to the outside interface. It handles the traffic heading "in" towards the interface.

Hope the above was of some help. Please rate helpfull posts

- Jouni


And just to clarify a bit,

You dont configure the addiotional public IP addresses to any interface. You only give the interface its IP address. Rest of the IP addresses only need the NAT commands, nothing else.

- Jouni


Hi Eugene,

Thanks a lot for your reply.

My goal here is simple.

I need to configure 5515 exactly the same way as Joebox (less known firewall), for my customer.

Somehow, Joebox has 5 continuous public IP addresses on the physical interface, and I need to configure 5515 the same way.

Those IPs are routed to inside resources through NATing.

Let me know if further information is needed.

Would there be any workaround for this?

Any suggestions would be much appreciated.



Hi Young,

Thank you for clarification,

Your ISP will route traffic to your ASA. You do not need to  assign the new IP to any interface. You can create statics using the address space and it will work because of the ISP sending the route  down to you. Also you need to allow this connections using access-lists

Please rate helpfull posts


Thank you very much Jouni and Eugene.

You guys helped me out, I much*100 appreciate it.


Content for Community-Ad