Solved: ASA 5525-X Second Second IP Range

MasterOfDis · ‎09-12-2013

Hi Guys,

I hope you can help me out with this one. I have a ASA 5525-X with one OUTSIDE interface for IP range 1.1.1.0/29. But this range is full.

Our ISP assigned us another range 2.2.2.0/29, but I want to have this range also on my Cisco ASA 5525-X. I made a second outside interface for the range 2.2.2.0/29 but I cannot route any traffic to this interface.

Is there a solution to have two OUTSIDE interface hosting both IP ranges? The new range 2.2.2.0/29 is for incoming traffic only.

Please could you advice me on this issue?

Regards

VIraj

Jouni Forss · ‎09-12-2013

Hi,

So you have 2 public subnets from the same ISP?

If this is the case then dont configure an additional external interface.

You should be able to start using these IP addresses in your NAT configurations just like the original public subnet you had.

There are some considerations depending how your ISP added the second subnet on their ISP Gateway

If they added the second subnet as a "secondary" subnet on their gateway interface then you need to configure "arp permit-nonconnected" for the ASA to be able to use second subnet
If they added a route for the second subnet that is pointing to the next hop IP of the current ASA "outside" interface THEN you wont need any additional configurations on the ASA

So please remove the extra External interface you created and start using the new subnet in the NAT configurations by using the original "outside" interface that you had.

- Jouni

View solution in original post

Jouni Forss · ‎09-13-2013

Hi,

Pretty much how you described.

Though the "arp permit-nonconnected" is not configured under interface, although the ASA would probably still accept the command there but insert it as a global configuration.

Ofcourse the ISP has to have a route for this new network pointing towards your Cisco 2951 Router which I imagine they have already done?

- Jouni

View solution in original post

Jouni Forss · ‎09-12-2013

Hi,

So you have 2 public subnets from the same ISP?

If this is the case then dont configure an additional external interface.

You should be able to start using these IP addresses in your NAT configurations just like the original public subnet you had.

There are some considerations depending how your ISP added the second subnet on their ISP Gateway

If they added the second subnet as a "secondary" subnet on their gateway interface then you need to configure "arp permit-nonconnected" for the ASA to be able to use second subnet
If they added a route for the second subnet that is pointing to the next hop IP of the current ASA "outside" interface THEN you wont need any additional configurations on the ASA

So please remove the extra External interface you created and start using the new subnet in the NAT configurations by using the original "outside" interface that you had.

- Jouni

MasterOfDis · ‎09-13-2013

Hi JouniForss,

Thanks for your reply, really appreciated it! I will explain my network topology, so I can verify my idea:

This is my topology:

Could I configure the second subnet 2.2.2.0/29 on the same interface where 1.1.1.0/29 is configured at the Cisco 2951, with the ip address 2.2.2.0 255.255.255.248 secondary command? And then on the Cisco ASA 5525-X, under the OUTSIDE interface I issue ASA(config-if)# arp permit-nonconnected command?

Jouni Forss · ‎09-13-2013

Hi,

Pretty much how you described.

Though the "arp permit-nonconnected" is not configured under interface, although the ASA would probably still accept the command there but insert it as a global configuration.

Ofcourse the ISP has to have a route for this new network pointing towards your Cisco 2951 Router which I imagine they have already done?

- Jouni

MasterOfDis · ‎09-13-2013

Hi,

Yes the new subnet is active. Thanks for your help!