ASA - DHCP and Static IP on the Outside?

Paul Marks · ‎10-25-2012

Evening All!

A quick puzzler that I'd appreciate your thoughts on...

I used to have my Internet connection setup like this:

ISP - 877 - ASA - Inside

The ISP would issue a DHCP address to the 877 on one interface and it would have the static subnet my ISP allocated out another, including the ASA which had a static address in that range.

My 877 has died, so it's now:

IPS - ASA - Inside

With the ASA collecting the DHCP address from the ISP but no device to route between it and static subnet, so the static addresses are gone

The main problem with this is the ASA's static address is (or was!) the endpoint for a load of VPN tunnels and remote access users. How can I get my static addresses back before I replace the failed 877? I thought perhaps a secondary IP on the outside, but the ASA doesn't support secondary IPs.

Any ideas?

Jennifer Halim · ‎10-25-2012

Unfortunately the ASA doesn't support secondary IP, and also it needs to terminate the VPN tunnel on the interface that has the default route configured which is normally the outside interface.

From your description, seeems like you have lots of VPN tunnels, so you can't really request the remote peers to temporarily change the peer IP to the DHCP IP Address, right?

Base on the design, looks like the only way is to replace the 877 and you won't have any VPN until the 877 is up and running, unless if you want to advise the remote peers or remote access users to temporarily use the ASA current outside interface IP.

Just a thought, how soon can your ISP temporarily assign that static subnet on that ISP router, so the ASA can be used to terminate the VPN?