04-12-2012 04:21 PM - edited 03-11-2019 03:53 PM
I have two class C IP blocks that terminate on my router. I currently have been using an ASA 5520 to provide DMZ VLANs from one of those IP blocks and ignoring the other one. I am migrating to a 5585 now and want to add the second IP block as a series of VLANS. The current config is:
IP Addressing is as follows (not my real IPs, but representative of actual setup.
IP Blocks
External: 12.111.107.0/24 and 12.41.107.0/24
Router inside interface address has both IP blocks set up as a primary and a secondary Address on the inside interface. Inside interface is 12.111.107.1/28
Current ASA 5520 has an address in the first IP block as my outside interface on GigE0/0 12.111.107.9/28
Gig E/01 is connected to my core switch and has an IP address on the internal block 10.1.10.2 (core switch acts as a router for internal networks)
Gig E/02 has several DMZs set up in the same IP block as the outside interface of the ASA 12.111.107.33/28 and 12.111.107.65/26. These are fed into my VSphere clusters as a trunk.
I'm assuming that I can move the existing config to the 5585 (working through the issues around updating to new code) and add the second IP block to GigE0/3 and then create my vlans/sub interfaces on GigE/04. Gig E/03 will be 12.41.107.5/28 (there are other devices on that IP block)
I think my two questions are, am I assuming correctly, and how do I set up a static route so that devices on GigE0/4 go out through GigE0/3 as their gateway because I want my corporate traffice to go through Gig E0/0 and my DMZ traffic that is mostly dev stuff to go through Gig E/03
I'm sorry if I sound like an idiot, i've done all the LAN work and have no problem with VLANs or getting things/keeping things running, but this one I figured i'd get some advice on.
TIA
Allen
04-12-2012 05:57 PM
Because ASA's do not support Policy Based routing, i would use NAT.
so NAT between ge0/4 and ge 0/3
Even better, as you will be deploying a new 5585, use 2 contexts, one for Prod and one for DEV
04-12-2012 07:50 PM
I think the two security contexts is a good idea. Time to hit the books again. Thanks.
04-20-2012 04:22 PM
Turns out that I cannot do this. I have to provide VPN via ipsec and anyconnect on one of the interfaces on the production side. I have 18 vlans on the second class C and I can ping my interfaces, but once there they don't know where to go. Obviously a routing issue. I have network identities for each network and device and have set up my NAT rules in a manner which I think is right.
This device is using 8.4 code
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide