Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
0
Helpful
2
Replies

ASA 8.6 allow publishing to only one range of Public IP

Go to solution
Lulzim Islami
Level 1
Level 1

‎04-20-2013 08:46 AM - edited ‎03-11-2019 06:32 PM

Hi All,

Would someone comfirm that the versions 8.6 and up don't allow publishing to more then one public range if IP addresses?

We have ASA5520 version 8.4 in deployment and there I can NAT to 3 different ranges of public IP-s.

With same configuration on ASA5525-X version 8.6 it will NAT only the range that the outside interface belongs to.

Also tried the 9.0 version with the same result.

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-20-2013 10:11 AM

Hi,

You will have to use some other software than 8.6(1)

Check the command "arp permit-nonconnected"

This will allow the ASA to populate its ARP table with nonconnected networks.

To be able to use this command you will need another software. Check this Cisco Release Notes section and especially the bottom section.

ARP cache additions for non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets  by default. You can now enable the ARP cache to also include  non-directly-connected subnets. We do not recommend enabling this  feature unless you know the security risks. This feature could  facilitate denial of service (DoS) attack against the ASA; a user on any  interface could send out many ARP replies and overload the ASA ARP  table with false entries.

You may want to use this feature if you use:

Secondary subnets.

Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected.

This feature is not available in 8.5(1), 8.6(1), or 8.7(1).

Other option is to ask the ISP to route the nonconnected network towards the ASA directly.

Also you can check an explanation from a NAT 8.3+ document I created here on CSC

https://supportforums.cisco.com/docs/DOC-31116#MULTIPLE-SUBNETS

Hope this helps

Please remember to mark the question as answered if it did or ask more if needed

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-20-2013 10:11 AM

Hi,

You will have to use some other software than 8.6(1)

Check the command "arp permit-nonconnected"

This will allow the ASA to populate its ARP table with nonconnected networks.

To be able to use this command you will need another software. Check this Cisco Release Notes section and especially the bottom section.

ARP cache additions for non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets  by default. You can now enable the ARP cache to also include  non-directly-connected subnets. We do not recommend enabling this  feature unless you know the security risks. This feature could  facilitate denial of service (DoS) attack against the ASA; a user on any  interface could send out many ARP replies and overload the ASA ARP  table with false entries.

You may want to use this feature if you use:

Secondary subnets.

Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected.

This feature is not available in 8.5(1), 8.6(1), or 8.7(1).

Other option is to ask the ISP to route the nonconnected network towards the ASA directly.

Also you can check an explanation from a NAT 8.3+ document I created here on CSC

https://supportforums.cisco.com/docs/DOC-31116#MULTIPLE-SUBNETS

Hope this helps

Please remember to mark the question as answered if it did or ask more if needed

- Jouni

0 Helpful

Go to solution
Lulzim Islami
Level 1
Level 1
In response to Jouni Forss

‎04-21-2013 06:00 AM

Hi Jouni,

Thank you for your clear explanation.

Valdet

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card